Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
The Certificate and Browser industry standards are continuously being reviewed and adjusted to meet the demands of an ever changing threat environment. Providers have a lot to keep up with, but so do users of SSL certificates.
In July 2012, the CA/Browser Forum, the industry standards board for Certificate Authorities and the browsers that use Certificates, made a decision to deprecate the usage of reserved IP addresses and internal names for certificates, effective November 1st 2015. All such certificates still outstanding must be revoked by October 31, 2016.
At this point, this may seem like a long ways away. However, the task of migrating to new compliant certificates where needed cannot begin soon enough. These rules are being implemented to eliminate vulnerabilities that place an organization at risk from hackers.
An internal name is a domain in a private network that is not resolvable using the public Domain Name System (DNS). It does not have a domain suffix or the suffix is not a public domain name. For example, clifton.nj.local or Manchester.uk.internal
A malicious actor with these certificates could go on to perform man-in-the-middle attacks on closed networks such as public or corporate WiFi. Some of these previously internal names may now even be registered in public DNS with the introduction of the new gTLDs. One example would be the new gTLD ‘.exchange’.
Trusted certificates issued by certificate authorities like Comodo are generally issued to ‘real’ public domain names, such as ‘comodo.com’. The certificate authority can validate that a single organization has unique control or ownership of such a ‘real’ domain name before signing and issuing the certificate.
Therefore, it meant that anyone could obtain a trusted certificate for the internal names.
A reserved IP address is an IPv4 or IPv6 address that the IANA has marked as reserved: These IP addresses may be used for maintenance of routing tables, multicast, operation under failure modes, or to provide addressing space for public, unrestricted uses. Refer to Wikipedia for a complete list of reserved IP addresses.
Comodo’s time table for phasing out Internal Names and Reserved IP addresses is as follows:
If you are using internal names, you must configure those servers to use a public name or switch to a certificate issued by an internal CA before November 1, 2015.
What Can I Do If My Organization Already Uses A Trusted Internal Domain Certificate?
There are several options available. One option is to reconfigure any systems to use a publicly-registered domain name. The fully-qualified name in the certificate does not need to resolve in public DNS, or be accessible from the public internet. For example, migrating ‘myserver.local’ to ‘myserver.mydomain.com’ does not mean that the server needs to be accessible on the internet, or the DNS record for ‘myserver.mydomain.com’ be resolved outside of your network.
A blog post with further information and guidance from the CA Security Council is available here:
https://casecurity.org/2014/07/18/what-to-do-when-you-rely-on-internal-names-in-tlsssl-certificates/
Should you have any questions regarding the issuance of certificates with internal names, the status of existing certificates or if you require general advice with any of the points raised in this document, please contact a Comodo Account Manager or Comodo Support:
support@comodo.comhttps://support.comodo.com/
Related Resource:
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP