Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deprecation of certificates for internal needs

Published byShona Hutchinson Modified over 5 years ago

Similar presentations

Presentation on theme: "Deprecation of certificates for internal needs"— Presentation transcript:

1 Deprecation of certificates for internal needs
21/02/2019 Deprecation of certificates for internal needs

2 Reserved IP address range
WHY? Not directly linked to the launch of new domain names extensions! The decision was made in June 2012 by CA/B forum Main reason: security issue Short version => Local domains are not unique, unlike public domains or public IPs, so they cannot be vetted by CAs + the launch of new gTLDs can create collisions between a local domain and a public domain WHAT IS PUBLIC, WHAT IS PRIVATE? <<< Public domain name (aka FQDN) Reserved IP address range <<< Private domain name (aka local domain) <<< Public IP address <<< Private IP address (aka reserved / local IP) prod-cft-1 <<< Machine name (always private) /!\ There are exceptions. Any doubt, consult this page:

3 Nameserver’s cache database
Long version => 2 examples 1.Let’s say Barclays has deployed an internal mail system at the address Legitimate server The system is not reachable from the public Internet – only on the local corporate network or over the VPN The name mail is not unique, so anyone can potentially obtain a certificate that validates for Employee’s computer If you bring such a certificate into Barclay’s network, it can be used in combination with local name spoofing* to perfectly impersonate the real corporate mail server and steal users’ credentials and other confidential information. Hacker’s server Nameserver’s cache database *DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) name server's cache database, causing the name server to return an incorrect IP address, diverting traffic to another computer (often the attacker's).

4 Employee’s laptop asking to see the page
2.Let’s say Barclays has deployed an internal mail system at the address Local server ICANN decides to launch .corp as a new extension Employee’s laptop asking to see the page A hacker registers the domain Barclays.corp, and issues a DV certificate to secure it. The hacker perfectly impersonates the real corporate mail server and uses DNS cache poisoning attacks to redirect people to the hacker’s server. The attacker might not even need to be on the corporate network to mount a successful attack. If a user connects their corporate laptop to a public WiFi network, the mail client might automatically attempt to connect to “ or” before a VPN connection is established. If an attacker has anticipated this, again, a perfect impersonation can be made. Hacker’s server

5 WHAT? All our CAs will respect the deprecation To be deprecated
Local domains Local IPs Server names prod-cft-1 Not deprecated Public domain names Public IPs

6 WHEN?

7 BATTLE PLAN MARKETING SIDE
Blog article: being translated into all languages DotMailer campaign: being translated into all languages To be sent on Thursday (Sept 11)

8 SALES SIDE: CLIENTS FIRST!
Certificates expiring before < To contact immediately by phone (10 Symantec clients) Certificates expiring before < To contact asap by phone (54 Symantec clients) Certificates expiring before < To inform by phone if possible but not urgent. Reminder Mid-2015 (3 Symantec clients) Certificates expiring after < Inform whenever possible (0 Symantec client) < Check the Word document to get more details

9 DON’T FORGET SHA-2! Any client whishing to renew SHOULD renew in SHA-2 if he can. Redirect the client to the KB for more info: Google plans to “force” the deprecation by displaying warning icons in future versions of Chrome. This will NOT immediately impact the website’s layout, but has to be taken into account by domain owners

10 What Google is going to do to deprecate SHA-1 in the next versions of Chrome:
(Branch point Sept ) Chrome 40 (Branch point Nov ) Chrome 41 (Branch point Q1 2015) Certificates expiring Between June 1st and December 31st, 2016 Certificates expiring After Jan 1st, 2017

11 Any question? marketing@SSL247.co.uk +44 (0)203 69 79 391
+44 (0)

Download ppt "Deprecation of certificates for internal needs"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Plug-in and Automatic update security Presented by Maxamed Hilowle.

Plug-in and Automatic update security Presented by Maxamed Hilowle.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Intro to Computer Networks DNS (Domain Name System) Bob Bradley The University of Tennessee at Martin.

Intro to Computer Networks DNS (Domain Name System) Bob Bradley The University of Tennessee at Martin.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
SSL From Your Smartphone Support for Android Smartphones www.sharetech.com.twwww.sharetech.com.tw / www.higuard.comwww.higuard.com.

SSL From Your Smartphone Support for Android Smartphones /
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Copyright ©: 1995-2011 SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Getting online Suitable for: Beginner.

Copyright ©: SAMSUNG & Samsung Hope for Youth. All rights reserved Tutorials The internet: Getting online Suitable for: Beginner.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!

BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!
G053 – Lecture 09 Domain Names Mr C Johnston ICT Teacher www.computechedu.co.uk.

G053 – Lecture 09 Domain Names Mr C Johnston ICT Teacher
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Thornbury U3A Computer Club – Mike Farquhar July 2014.

Thornbury U3A Computer Club – Mike Farquhar July 2014.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.

UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.
Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.

Privacy & Confidentiality in Internet Research Jeffrey M. Cohen, Ph.D. Associate Dean, Responsible Conduct of Research Weill Medical College of Cornell.

Similar presentations

Ads by Google