DNS record will help prevent unauthorized SSL certificates

Certificate authorities will be required to honor a new DNS record that specifies who is authorized to issue certificates for a domain

In a few months, publicly trusted certificate authorities will have to start honoring a special Domain Name System (DNS) record that allows domain owners to specify who is allowed to issue SSL certificates for their domains.

The Certification Authority Authorization (CAA) DNS record became a standard in 2013 but didn't have much of a real-world impact because certificate authorities (CAs) were under no obligation to conform to them.

The record allows a domain owner to list the CAs that are allowed to issue SSL/TLS certificates for that domain. The reason for this is to limit cases of unauthorized certificate issuance, which can be accidental or intentional, if a CA is compromised or has a rogue employee.

Under existing industry rules created by the CA/Browser Forum, an organization that combines major browser vendors and CAs, certificate authorities must validate that requests for SSL certificates originate from domain owners themselves or from someone in control of those domains.

This ownership verification is typically automated and involves asking the domain owner to create a DNS TXT record with a specific value or to upload authorization codes at a specific location in their site's structure, thus proving their control over the domain.

However, hacking into a website could also give an attacker the ability to pass such verifications and request a valid certificate for the compromised domain from any certificate authority. Such a certificate could later be used to launch man-in-the-middle attacks against users or to direct them to phishing pages.

The goal behind the CAA record is to limit who can issue certificates for a domain. For example, Google's CAA record is: google.com 86400 IN CAA 0 issue "symantec.com." This means that Google specifically authorizes Symantec to issue certificates for its main domain name.

In March, the CA/B Forum voted to make CAA record checking mandatory as part of the certificate issuing process. This requirement will go into effect on Sept. 8, and CAs that will fail to honor these records will be in violation of industry rules and will risk sanctions.

In addition to the "issue" tag, the CAA record also supports a tag called "iodef" that will also be mandatory for CAs to comply with. This tag allows the domain owner to specify an email address or a URL where CAs can report certificate issuing requests that conflict with the domain's CAA policy.

For example, if one CA receives a request for a certificate for domain X, but domain X has a CAA record that authorizes a different CA to issue certificates, the first CAmust report the suspicious request to the email address or the URL specified in the CAA iodef property. This will alert the domain owner that someone else might be trying to obtain a certificate without authorization.

"CAA is not a silver bullet, but it is another layer in our defense," Scott Helme, a security researcher and HTTPS deployment expert, said in a blog post. "We don't have to worry about vendor lock because the record is only checked at the point of issuance, and it couldn't be simpler to setup. There's really nothing to lose."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Father’s Day Gift Guide

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?