"Zombie Linkages" Leave Expired Domains Trusted for Years, Researchers Find
A new study reveals that "zombie linkages"—trust records tied to expired or transferred domains—persist across Web PKI, software repositories, and blockchain naming systems, creating long-term security risks.
Researchers from USC and the University of Twente have identified a systemic security vulnerability they term "zombie linkages," where trust records associated with expired or transferred domains persist long after the original owner loses control Help Net Security. This phenomenon affects critical infrastructure, including Web PKI, software supply chains, and cryptocurrency naming systems, effectively allowing outdated identity proofs to remain active and potentially exploitable.
In the context of Web PKI, the researchers discovered that TLS certificates frequently outlive the ownership of the domains they secure. Their analysis revealed that over 192,000 certificates for expired domains were still being served months after the domain's "DNS death," while another 7,300 certificates remained active even after the domain had been registered by a new owner Help Net Security. Because only 4.3% of these "zombie certificates" are revoked before their natural expiration, an attacker capable of intercepting traffic could leverage these still-valid certificates to impersonate a domain, deceiving both browsers and users Help Net Security.
The software supply chain faces a similar threat through Maven Central, a primary repository for Java packages. The study found that 15.2% of the 31,853 Maven namespaces analyzed were tied to expired or transferred domains Help Net Security. Alarmingly, the researchers observed that 547 of these outdated namespaces continued to publish new package versions after the original owner lost control, and 214 continued to do so even after the domain was acquired by a new party Help Net Security. Since Maven Central package versions are immutable, this creates a significant risk for automated build systems that may inadvertently pull malicious updates from compromised namespaces.
Cryptocurrency naming systems are also vulnerable, specifically the Ethereum Name Service (ENS). The researchers found that 23.8% of active ENS "On-chain" linkages—which map human-readable names to cryptocurrency wallet addresses—were outdated Help Net Security. Unlike other systems, these records remain active on the blockchain until they are manually replaced, and the study found that none of the identified outdated linkages had ever been reclaimed, with a median age of 1.9 years Help Net Security.
The researchers emphasize that the core issue is the reliance on DNS names as a persistent proof of identity without robust mechanisms for revocation or automated cleanup Help Net Security. As organizations increasingly integrate these systems into their security posture, the persistence of these "zombie" records highlights a critical gap in how digital trust is managed across the internet. Moving forward, the findings suggest a need for better synchronization between domain registration lifecycles and the various services that rely on domain-based identity verification.