Certificate Authority Security Council supports new rules
Man-in-the-middle attacks using SSL server certificates is a problem on the modern internet due to bugs and exploits that appear, but changes coming soon may help make this type of attack a little more difficult.
The Certificate Authority/Browser Forum was the first to propose that certificate authorities (CAs) do not issue certificates that contain “internal names” and are set to expire after November 1, 2015. Additionally, CAs must revoke existing SSL certificates containing Internal Names by 1 October 2016.
The rules were adopted by the CA/Browser forum in 2011. Now, the CA Security Council – i.e. Go Daddy, DigiCert, Trend Micro, Entrust, Symantec, GlobalSign, Comodo and others – is speaking out publicly about the rule changes as one of the deadlines approaches.
What is an Internal Name?
A CA Security Council blog post has advice if you’re currently using internal names with your SSL / TLS setup. They also take the time to define Internal Names as:
“A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.” For example, “mail” and “exchange.local” are Internal Names; “casecurity.org” and “paypal.com” are publicly registered names.
Domain Growth and Security for All
Wayne Thayer, Go Daddy’s general manager for security products, is on the Steering Committee of the CA Security Council and recently had this to say:
With hundreds of new top-level domain names (TLDs) such as “.exchange” and “.xyz” becoming available, there’s currently a lot of excitement and change in the world of domains. The onset of all these new TLDs is also driving some big changes in so-called “Internal Names” – domain names that are only meaningful to a particular organization. Common examples are “mail” and “intranet”, but IT departments have historically used Internal Names to identify all sorts of systems that don’t require public access.
The CA/Browser Forum has adopted rules that will soon end the issuance of SSL certificates containing Internal Names. Specifically, Certificate Authorities (CAs) may not issue certificates that contain Internal Names and expire after 1 November 2015. Since most CAs sell certificates in 1-year increments, this effectively means that customers must stop requesting certificates containing Internal Names before 1 November 2014. In addition, CAs must revoke existing certificates containing Internal Names by 1 October 2016.
Allowing the use of Internal Names – like “mail” – in SSL certificates made it easier for man-in-the-middle attacks to occur. Corporate guest Wi-Fi networks are particularly tempting targets. However, starting November 1 of this year, CAs are no longer going to be issuing SSL certificates that use general “internal names.” Some will still be out there until October 2016, but not issuing new ones is a good first step toward making the internet a bit more secure.
Good News About the New SSL Server Rules
If you currently rely on SSL certificates that use generic internal names or you’re not sure if you do or not, you can contact the professionals at SSL.com and quickly get all of your questions answered. Checking this information yourself isn’t difficult, but sometimes being able to ask for a second opinion can help put your mind at ease by knowing you’re covered when the changes go into effect on November 1, 2015 and October 1, 2016.
Do you have an opinion on this change? Leave us a comment below and share your thoughts. When it comes to technology, it’s always nice to be able to talk to someone who knows internet technology – especially security. The team here at SSL.com are ready to begin a conversation with all of our readers. All it takes is a moment to leave your thoughts below. Let us know what you think about the change in internal names for SSL certificates. Thanks!