Generic Top Level Domains
New generic top-level domains (gTLDs) have already been released by ICANN and there will be potentially over a thousand new gTLDs available for companies and web services on which to do business. These include not only new domains like .app, .blog, and .money, but words using non-English characters including Chinese, Korean and Arabic.
The challenge is issuance and network routing, and it is one all public Certificate Authorities (CAs) are working to address. SSL certificates are used not just for external webservers, but for internal secured connections as well on Exchange, Domino, as well as for SDKs and APIs. Additionally, there have been no official rules about what to name hosts on an internal network. Prior to the new ICANN announcements, many CAs already counseled against internal networks with gTLDs that are reserved for DNS, yet still these exist (mycompany.local) for a DMZ or internal network name. Likewise, many companies have an internal network address ending in .corp, which is on the list of newly requested gTLDs.
With new gTLDs, the possibility exists that a legitimate internal certificate for an internal network with a name like .secure could be moved to an externally facing web service once the new gTLDs go live on the internet. This risk has been well documented in the news as well as on internet blogs by security experts. The issue of internal names being moved externally presents new opportunities for abuse or malicious web trafficking with a legitimate certificate. Additionally, if a company’s network is named .secure, then all the machines in that network will only be able to route .secure as an internal network. When ICANN makes the new gTLD .secure go live, nodes on the .secure network will not be able to see past their own routers.
How New gTLDs Will Impact Existing SSL Certificates
Symantec started implementing a check for all new certificates being issued against the proposed ICANN gTLD list in March, 2013 to avoid this problem for current and future certificate issuance. We are also scanning all of our currently issued internal-type certificates and Subject Alternative Names (SANs) that were issued before the gTLD list was publicized, and will be working with the certificate owners to either demonstrate that they have the right to use the new gTLD or to replace/re-issue the certificates when the network is renamed.
This has the potential to be a painful process for companies that may have had their internal network named with a ‘new’ gTLD for years as their old internal network name. It isn’t limited to those customers that just happened to get certificates with these internal domain names: If a network has machines named foo.secure or bar.corp, they’re going to have to do some adaptation and possibly rename whole network segments.
Required Next Steps for Customers
After ICANN releases each gTLD, customers have 120 days to either register the domain and prove domain ownership, or transition to a valid fully qualified domain name (FQDN). If you have an SSL certificate with an affected gTLD, you will be contacted by Symantec. We also strongly recommend our customers check to see if they have any gTLDs that are on the list for future approval. If you have questions about ICANN's new gTLDs and the effect on your existing certificates, please feel free to contact Symantec directly