SSL – the encryption of communications using digital certificates – is a fundamental building block on the Internet to enable trusted transactions. If your organization currently uses Internal Domain Names and you secure these sites with SSL certificates from a public Certification Authority (CA), then you will need to make some significant changes to your network infrastructure in the very near future.
What is an Internal Domain Name?
An Internal Domain Name is defined as a host name that is not globally unique within the public DNS because it does not end in a Top Level Domain (TLD) in IANA’s Root Zone Database. For example, many organizations use the Internal Domain Name “mail” to identify their mail server. Unlike a unique name such as www.example.com, the name “mail” can be used by multiple enterprises and can’t be authenticated to a unique user by the issuer of a digital certificate. This creates a potential for impersonation by a hacker.
OK, So What Exactly Is Happening?
Under the rules adopted by the CA/Browser Forum (CABF) in 2011, many Certification Authorities (CAs) will be prevented from issuing publically trusted Internal Domain Name certificates on or after November 1, 2014. The reason for this deadline is that most CAs don’t issue certificates with a validity period of less than one year, and any newly public CA-issued Internal Domain Name certificates must expire under CABF rules by November 1, 2015. Furthermore, if for some reason a multi-year Internal Domain Name certificate has already been issued and expires after October 1, 2016, it must be revoked by that date.
Who’s Bright Idea Was This?
The reason this is being done is to make SSL safer. Today, if you are using an Internal Domain Name like “mail” with a SSL certificate issued from a public CA like Trend Micro, then you are vulnerable to special type of Man-In-The-Middle (MITM) attack. In a certain scenario, a hacker could get the same certificate for “mail” from the same or another public CA and, after penetrating your network, use the duplicate certificate to read your encrypted information.
That sounds pretty obscure. Do we really need to worry about this scenario?
Yes, these attacks are being initiated today. For example, corporate guest wi-fi networks are particularly vulnerable because these networks are more likely to be set up using Internal Domain Names.
OK, So what do I need to do to fix the problem?
There are several ways to fix this problem, and at least one way to give you more runway to fix this issue.
As stated earlier, most CAs will not issue these certificates past November 1, 2014 because the shortest validity period they issue is for one year. In contrast, Trend Micro will issue these certificates up until the very last day. But remember that the final expiration date for these certificates from Trend Micro will be November 1, 2015, even if the certificate is issued on October 31, 2015. This is not a long-term fix, but it may give you extra time to implement the best long-term fix for your organization.
Perhaps the best way to address this issue is to simply change your Internal Domain Name to a publicly registered, unique domain name owned by you. For example, if your current domain name is “mail” then you could change it to “mail.myorganizationdomain.com.” As long as the name you choose ends in a domain you control, then the site will be unique to the Internet an no one else can get a certificate for that domain.
This used to be a more popular option in the past, but most organizations have learned that setting up even a “free” Microsoft CA is expensive and time consuming. However, if you already have one, then you can use it to issue your own replacement certificate.
Of course you can issue and use your own self-signed certificates, but your site will then give users an “untrusted issuer” warning because the certificate did not come from a trusted CA. This may or may not be something you are comfortable with doing.
Another option would be to attempt to buy the domain “myorgnizationdomain.mail” if someone has already registered the “mail” TLD – but this is not much different than option 2 above using domain names you already own.
An extreme option is to buy the Internal Domain Name that you are currently using as your own TLD. For example, you could pay a lot of money to ICANN to register the domain “mail,” if it has not already been registered. But this most likely will only solve the problem for one site at a time.
Both of these related options have their limitations, but option 2 above would be easier and cheaper.
The fix is up to you, but don’t wait
It time to get to work on this issue if the upcoming change to use of Internal Domain Names affects you – but don’t wait past November 1, 2014 to get a game plan together, because you could find yourself in an uncomfortable situation.
If you have any question, please contact me at my email address: firstname.lastname@example.org.
Chris Bailey’s Bio:
Chris Bailey is general manager for Deep Security for Web Apps at Trend Micro. Previously Bailey served as the CEO and co-founder of certification authority AffirmTrust, which was acquired by Trend Micro in 2011, and as co-founder and CTO of GeoTrust, a major world Certification Authority acquired by VeriSign in 2006.