phasing out internal server names
Cabforum, which all major certificate issuers and browser producers are part of, has agreed on a series of requirements all certificate issuers has to abide by.
One of these requirements is to rapidly phase out internal server names in SSL-certificates from all publicly recognized certificate issuers.
The reason for this is to protect against Ma-in-The-Middle (MTM) attacks where it's possible to pretend being an internal server using a publicly recognized SSL-certificate.
FairSSLs recommendation for our customers
Full details about this and other requirements can be read in the requirements document CA/Browser Forum - Baseline Requirements - v.1.0
Back
One of these requirements is to rapidly phase out internal server names in SSL-certificates from all publicly recognized certificate issuers.
The reason for this is to protect against Ma-in-The-Middle (MTM) attacks where it's possible to pretend being an internal server using a publicly recognized SSL-certificate.
FairSSLs recommendation for our customers
- When installing new systems, configure them without the use of internal server names if at all possible, fx. through split DNS
- Alternatively use an internal CA in combination with a public SSL-certificate. (we can assist/inform about internal PKI solutions)
Which server names are internal
Following is some examples of internal server names. If a certificate contains one of these it will no longer be accepted:
- server01
- exch01.fairssl.local
- srv01.domain.lan
- localhost
- 192.168.100.10
- 10.0.0.10
Full details about this and other requirements can be read in the requirements document CA/Browser Forum - Baseline Requirements - v.1.0
