The Problem With Abandoned Domains
The very nature of today's internet allows for the mostly peaceful transfer of domains and IP addresses between organizations. Unregistered and expired domains can be snapped up for the right price, often to much hilarity and high jinks. The dynamic nature of internet domains also opens it up rife for abuse by bad actors. Man in the Middle (MitM), domain hijacking, and Denial of Service (DoS) attacks are just a few common abuses of abandoned domains. Legitimate organizations can do everything in their power to prevent such abuses, but the way domains are maintained and transferred will never allow this problem to go away. For example, there may come a day when I will want or need to abandon my domain www.chrislouie.net. I can responsibly post on my website and contact readers that I will no longer use this domain. Unless I pay for the domain registration in perpetuity, there is nothing preventing someone else from registering the domain and impersonating me. This was exactly the case for a company that created a Twitter add-on.
There is a widespread disconnect between SSL certificate validity and domain registration. I would be within my rights to purchase a three year SSL certificate for www.chrislouie.net from any trusted certificate authority. They only require that I own the domain at the time of certificate purchase. One year after purchasing the certificate, I could let the domain registration lapse and wait for someone else to register my former domain. This presents a problem to the new owner since I will still hold a valid SSL certificate for their newly acquired domain.
Security researchers at DefCon presented their findings through the use of Certificate Transparency (CT) to find that over a quarter of valid registered domains that they examined (3 million domains and 7.7 million certificates) have existing SSL certificates from the domain’s previous registrant. The first exploitable attack is a Man in the Middle attack, where the holder of a legitimate and valid, but previously registered SSL certificate can decrypt traffic to and from the new domain owner. An attacker could replace the SSL certificate on the new website or redirect traffic to a rogue server using DNS hijacking or poisoning. The end user would still see a legitimate SSL certificate and no alarms would be raised.
The second exploitable attack is a detail of service, when a new domain owner registers a previously revered domain in the Subject Alternative Name (SAN) field of the SSL certificate. If the previous legitimate owner of the domain still holds a valid SSL certificate, it is possible to revoke the new SSL certificate that contains the domain in the SAN field. Revoking the SSL certificate of a legitimate website could cause problems by creating certificate warnings and breaking applications that require SSL encrypted connections. In industries where every minute of downtime could cost hundreds of thousands of dollars, a denial of service could be quite disastrous.
There are rules to prevent SSL certificate overlap from occurring, where when a domain expires, the issuing certificate authority must revoke the SSL certificate within 24 hours. Like OCSP, this system is terribly broken due to lack of standards and poor implementation. Instead, it becomes to adapt a zero-trust approach where all web traffic is considered malicious, even if it comes from a reputable source. Even after a reputable website becomes compromised, hijacked, or abandoned, zero-trust security solutions will continue scanning every byte of data to ensure nothing malicious gets into the organization.