Private IP addresses and internal server names used in SSL certificates will be phased out and will no longer be valid as a measure to prevent Man-in-the-Middle (MITM) attacks.
Secure Socket Layer (SSL)/Transport Layer Security (TLS) is commonly used for web servers to encrypt and authenticate. But do you know SSL is not only limited to the web? Enterprises on a large scale use SSL certification for identity and access management in their back-end office systems – such as database servers, Customer Relationship Management (CRM) servers, application servers, backup servers, mail servers and more. In this way, companies’ private internal information are kept secure and confidential from intruders, within and outside the company.
For years, customers have to come us to with requests to use SSL certification on their intranet, and specify needs to use internal names such as www.server1.internal or server2.local, that public Domain Name System (DNS) cannot access. Since these names are used internally, they are usually not Fully Qualified Domain Name (FQDN) and cannot be verified.
Lately, incidence rate of data breaches and Man-in-the-Middle (MITM) attacks are on the rise, with risk of experiencing a data breach higher than ever – almost half of organizations suffered at least one security incident in the last 12 months, according to Experian Data Breach Industry Forecast 2015. Because internal server names are not unique, these servers are vulnerable to MITM attacks; where the attacker uses a copy of the real certificate or a duplicate certificate to intercept and relay and possibly alter the data in communication. Since multiple certificates are issued for the same internal names among many customers, an attacker can make a valid request for a duplicate certificate and use it for MITM. So regardless how strong the encryption may be, SSL with non-unique and unverifiable internal names can result in attackers dominating control between server communication.
To overcome this problem, the Certificate Authority Browser Forum (CA/Browser Forum) – the board that provides internet security industry standards – issue a notice to phase out issuance of SSL Certificates for non-unique internal server names or private IP addresses and requires CAs to revoke any certificates containing internal names by October 2016. This move towards using a public domain name on internal servers would increase the level of security for internal servers.
However, there are still many companies in Singapore using non-unique internal names for their back-end office servers. Those affected needs to reconfigure their servers to use a public FQDN immediately so that all names can be verified and are unique; it doesn’t matter if those services are publicly accessible. In fact, your back-end systems should already be limited to authenticated users with encryption if it needs to be remotely controlled through internet. This baseline was defined in 2011 by CA/B Forum. Cyber Secure Asia would like to emphasise this change once again – for customers’ security concern and industry baseline requirements.