Fears for gTLD security as EFF reveals further SSL certificate abuses

Rights organisation the Electronic Frontier Foundation has revealed that certificate authorities have signed certificates for over 1,200 non-existent top level domains (TLDs), as more abuses in the DNS industry come to light.

The EFF's Observatory investigation into SSL certificate signing revealed on Wednesday that the certificate authorities charged with vouching for the identities of secure web servers had been signing unqualified domain names.

This practice highlighted the fact that certificate authorities are not carrying out the most basic validation checks, and could allow cyber criminals to launch man-in-the-browser attacks if they get hold of unqualified names such as 'mail'.

However, in a further revelation, EFF technology director Chris Palmer warned today that certificate authorities are also signing "meaningless fully qualified names".

Palmer attached a list of 1,216 names validated by certificate authorities that his research had uncovered.

"Certificate authorities will sign certificates vouching for the identities of servers under non-existent TLDs and for names that are not legal DNS names, such as phrases containing spaces," he wrote in a blog post.

"The vast majority of TLDs in the list are invalid and have no meaning on the internet. Browsing it, you'll see lots of names that are not internet TLDs, like .public, .priv, .nyc, .84/exchange, and so on."

However, the security problem may lie with the coming of new generic TLDs approved by Icann recently. With a loosening of the restrictions on which TLDs can be used by companies, a cyber criminal could find that a currently invalid name that they managed to register with a careless certificate authority then becomes valid.

"For example, imagine if Microsoft were able to, in the future, register the .microsoft TLD so that they could have www.microsoft for their web site address," said Palmer.

"As the EFF Observatory shows, an attacker can probably get a certificate authority to sign that name today. Such an attacker would be able to hijack Microsoft's web site the very minute the new name goes live."