T-Systems’ PKI service ServerPass issues SSL/TLS server certificates that are trusted publicly by many current applications and operating systems due to T-Systems’ embedded root certificates.

Issuing certificates chaining to a publicly trusted root certificate mandatory requires a verification process which among others validates the applied certificate’s common name (CN) – usually a fully qualified domain name (FQDN). Certificates using either an internal IP address of the reserved address range or a local host name, cannot be resolved by public DNS and could not be validated by T-Systems’ registration authority (RA).

Nevertheless, such a certificate will be trusted automatically by any user’s software who is facing the certificate. Those certificates can be abused very easily for attack scenarios and cause huge damage.

Therefore such SSL certificates play a special role. Security subject matter experts as well as the CA/Browser Forum, a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software, have disapproved the usage of those certificates.

 

What is this threat?

Especially within large corporate networks certificates for private IP addresses support an individual routing. Therefore the same IP address ranges often are used in different networks. This is partly due to the fact that device vendors have pre-configured their components to use identical IP addresses (e.g. 192.168.1.x ).

Moreover, in almost all corporate networks the usage of DNS suffixes ensure that when calling e.g. https://mail the request is redirected to https://mail.example.com (exemplifies the respective company domain).

An attacker can take advantage of this by applying for an SSL certificate using either an internal hostname or a reserved IP address issued by a publicly trusted CA (for technical details, see RFC This email address is being protected from spambots. You need JavaScript enabled to view it.).

This certificate could be installed in a foreign network and used to spy on encrypted data either by a direct access to the appropriate host or indirect through a Trojan.

T-Systems’ Trust Center acknowledges the assessment of the potential threat and therefore will abandon the issuance of SSL certificates for internal IP addresses and local host name with effect of 01.01.2013. Not least this decision serves the security interests of T-Systems’ customers