Due to security incidents, certifying authorities have decided to end the implementation of this protocol
Nearly year after a security incident allowed
malicious users to claim encryption certificates from domains that did not
belong to them, the certifying authority has decided to terminate the
TLS-SIN-01 protocol lifecycle, as report by network
security and ethical hacking specialists from the International
Institute of Cyber Security.
At the beginning of last year, Let’s
Encrypt, a free use certifying entity, found that validation based on
TLS-SNI-01 and TLS-SNI-02, the future successor, could be exploited by
malicious users. According to network security experts: “An attacker or group
of attackers could, for example, find an orphaned domain name targeted at a
hosting service and use the domain, with an unauthorized certificate to make
fake pages seem more credible, without actually owning the domain”.
In theory, the SNI extension in the TLS
protocol must validate the name presented by the server; this is a fundamental
element, especially when a single IP address serves multiple websites.
According to network security experts, the opportunity to exploit this error
occurs if the hosting provider omits the verification of ownership of a web
domain.
In response to this situation, Let’s Encrypt
decided to end the life cycle of the TLS-SNI-01 protocol for its new registered
accounts, although the developers decided to extend the support for the
certificates issued prior to the announcement.
Let’s Encrypt announced that the deadline to
stop using TLS-SIN-01 is next February 13, 2019, through an official statement.
Josh Aas, a cybersecurity specialist collaborating
with Let’s Encrypt, commented in a blog post that system administrators who
still use the TLS-SIN-01 protocol should switch to DNS-01 and HTTP-01
validation mechanisms.
“We apologize in advance for any inconvenience
this may produce, but we believe this is the right decision to ensure the
integrity of your web developments,” concluded the message of Aas.
