The recent news about the looming generic top-level domain (gTLDs) names that the Internet Corporation for Assigned Names and Numbers (ICANN) is adding has sparked mixed emotions. Dot-anything domain extensions are already being auctioned off and should be seen as early as April 23, 2013. Despite growing contention from organizations such as the CA Security Council, it seems evident that gTLDs like “.local”, “.corp”, “.internal” to name a few will probably come to pass.
There are two areas of controversy related to the proposed gTLDs that directly impact each other. The first is the impact on security, while the second is the time organizations have to respond to the new gTLDs. Organizations face instrumental challenges nowadays to reduce their threat surface, and respond to targeted attacks related to the breakdown in trust asset management like keys and certificates. Sadly many are failing, the addition of gTLDs only helps them fail faster at poor key and certificate management.
Security - the Man-in-the-Middle:
One concern over the gTLDs is with regard to a domain like “.corp” or “.local” for example. Many organizations have used these domains for internal domains. It would be very easy for an attacker to spoof one of these internal domains for an internal company website, and redirecting employee traffic to a malicious website. On a public internet connection, instead of an employee going to intranet.corp, they could very easily be sending sensitive authentication information to unknown sources that have registered wildcard “.corp” TLDs.
Man-in-the-middle attacks are nothing new. It is fairly easy for an attacker to redirect traffic via DNS to a fake website with a fraudulent certificate. The big concern over gTLDs is based on the fact that a large percentage of organizations do use generic top-level domain names internally. By ICANN making these gTLDs available for purchase it causes a duplication issue. There will be collisions on the internet from conflicting certificates issued to the same gTLDs by certificate authorities (CAs) who have issued short name certificates to organizations using these generic domain names.
For a long time CAs have been issuing short name certificates to organizations for internal use for non-fully qualified domain names. The massive risk of the new gTLDs is that an attacker can apply for a certificate from a CA for a gTLD before it is approved by ICANN. Once ICANN approves the gTLD, the attacker has a legitimate certificate to go about performing man-in-the-middle attacks.
Time is not on your side:
ICANN already started accepting applications in 2012, and expects registry agreements as soon as April 23, 2013.
The implications of the new gTLDs results in organizations having to change their internal organizational structure where they no longer use non-fully qualified domain names like “intranet.corp” to fully qualified domain names like intranet.company.com. This is no small task and can take years to fully execute.
Short name certificates that have already been issued need to be deprecated. CAs have been requested to stop issuing such certificates by Nov 1, 2015. Organizations need to move quickly to plug the security gap before it becomes an issue. One of the fastest ways would be to block the names from resolving. However this will result in unexpected behavior on corporate networks, which in tail will result in increased costs and potential downtime.
The gTLD saga once again highlights the fact that a large percentage of organizations do not know how many certificates they have.
Confirmed by the Ponemon Institute, fifty one percent of global 2000 organizations do not know how many keys and certificates are in use within their organizations. When you take into account that organizations need to understand how many short name certificates are in use within the network to close the security gap of new gTLDs, time is very short indeed.