Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Possible security disasters loom with rollout of new top-level domains

From: InfoSec News <alerts () infosecnews org>
Date: Fri, 5 Apr 2013 02:50:27 -0500 (CDT)
http://arstechnica.com/security/2013/04/possible-security-disasters-loom-with-rollout-of-new-top-level-domains/

By Dan Goodin
Ars Technica
Apr 4 2013
Plans to populate the Internet with dozens of new top-level domains in the next year could give criminals an easy way to bypass encryption protections safeguarding corporate e-mail servers and company intranets, officials from PayPal and a group of certificate authorities are warning.
The introduction of Internet addresses with suffixes such as ".corp", ".bank", and ".ads" are particularly alarming to these officials because many large and medium-sized businesses use those strings to name machines inside their networks. If the names become available as top-level domains to route traffic over the Internet, private digital certificates that previously worked only over internal networks could potentially be used as a sort of skeleton key that would unlock communications for huge numbers of public addresses.
A secure sockets layer certificate used by employees to access a company intranet designated as ".corp", for instance, might be able to spoof a public credential for the website McDonands.corp or Ford.corp. Employee laptops that are used at an Internet cafe or other location outside of a corporate network might also be tricked into divulging private information.
"If the appropriate service endpoints are available, these clients will next begin to dump confidential data and potentially pull incorrect information and apply damaging state changes," PayPal Information Risk Management officials Brad Hill and Bill Smith wrote in recently published letter to Fadi Chehade and Stephen D. Crocker, the chief executive and chairman respectively of the Internet Corporation for Assigned Names and Numbers (ICANN). "The potential for malicious abuse is extraordinary, the incidental damage will be large even in the absence of malicious intent, and such services will become immediate targets of attack as they inadvertently collect high-value credentials and private data from potentially millions of systems." 

[...]


______________________________________________
Attend #HITB2013AMS April 8th - 11th in Amsterdam.
Featuring over 42 international speakers and keynotes
by Bob Lord and Edward Schwartz http://conference.hitb.org
Previous By Date Next
Previous By Thread Next

Current thread: