Skip to main content
banner image
venafi logo

gTLD Security Woes – the Breakdown of Trust

gTLD Security Woes – the Breakdown of Trust

generic_blog_banner_image
April 5, 2013 | Gavin Hill

The recent news about the looming generic top-level domain (gTLDs) names that the Internet Corporation for Assigned Names and Numbers (ICANN) is adding has sparked mixed emotions. Dot-anything domain extensions are already being auctioned off and should be seen as early as April 23, 2013. Despite growing contention from organizations such as the CA Security Council, it seems evident that gTLDs like “.local”, “.corp”, “.internal” to name a few will probably come to pass.

There are two areas of controversy related to the proposed gTLDs that directly impact each other. The first is the impact on security, while the second is the time organizations have to respond to the new gTLDs. Organizations face instrumental challenges nowadays to reduce their threat surface, and respond to targeted attacks related to the breakdown in trust asset management like keys and certificates. Sadly many are failing, the addition of gTLDs only helps them fail faster at poor key and certificate management.

Security - the Man-in-the-Middle:

One concern over the gTLDs is with regard to a domain like “.corp” or “.local” for example. Many organizations have used these domains for internal domains. It would be very easy for an attacker to spoof one of these internal domains for an internal company website, and redirecting employee traffic to a malicious website. On a public internet connection, instead of an employee going to intranet.corp, they could very easily be sending sensitive authentication information to unknown sources that have registered wildcard “.corp” TLDs.

Man-in-the-middle attacks are nothing new. It is fairly easy for an attacker to redirect traffic via DNS to a fake website with a fraudulent certificate. The big concern over gTLDs is based on the fact that a large percentage of organizations do use generic top-level domain names internally. By ICANN making these gTLDs available for purchase it causes a duplication issue. There will be collisions on the internet from conflicting certificates issued to the same gTLDs by certificate authorities (CAs) who have issued short name certificates to organizations using these generic domain names.

For a long time CAs have been issuing short name certificates to organizations for internal use for non-fully qualified domain names. The massive risk of the new gTLDs is that an attacker can apply for a certificate from a CA for a gTLD before it is approved by ICANN. Once ICANN approves the gTLD, the attacker has a legitimate certificate to go about performing man-in-the-middle attacks.

Time is not on your side:

ICANN already started accepting applications in 2012, and expects registry agreements as soon as April 23, 2013.

The implications of the new gTLDs results in organizations having to change their internal organizational structure where they no longer use non-fully qualified domain names like “intranet.corp” to fully qualified domain names like intranet.company.com. This is no small task and can take years to fully execute.

Short name certificates that have already been issued need to be deprecated. CAs have been requested to stop issuing such certificates by Nov 1, 2015. Organizations need to move quickly to plug the security gap before it becomes an issue. One of the fastest ways would be to block the names from resolving. However this will result in unexpected behavior on corporate networks, which in tail will result in increased costs and potential downtime.

The gTLD saga once again highlights the fact that a large percentage of organizations do not know how many certificates they have.

Confirmed by the Ponemon Institute, fifty one percent of global 2000 organizations do not know how many keys and certificates are in use within their organizations. When you take into account that organizations need to understand how many short name certificates are in use within the network to close the security gap of new gTLDs, time is very short indeed.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

shutter

3 Steps that Stop the Speed of DevOps from Introducing Security Risk

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

How to Remediate: DROWN Attack – OpenSSL HTTPS Websites are at Risk – Are You?

generic_blog_banner_image

Venafi at RSA 2016: Breaking Closed Systems with Code Signing

About the author

get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat