Which SSL Reviews


CAA DNS Resource Record Made Mandatory to Curb SSL Certificate Mississuances

May 13, 2017 | By  

In March 2017, the CA/Browser Forum voted to make Certificate Authority Authorization (CAA) mandatory. The Certificate Authority Authorization is a Domain Name System (DNS) Resource Record which is an endeavor to prevent unauthorized issuance of SSL certificates. It empowers domain owners to limit who (which Certificate Authority CA) can issue SSL certificates for their domain. This is a significant move as it will help stem the spate of SSL certificate miss issuances by some certificate authorities.

In the Ballot (Ballot 187) at the CA/Browser Forum, 94% of voting CAs voted in favor, and 100% of voting browsers voted in favor of making CAA mandatory. The CAA has been defined by the Internet Engineering Task Force (IETF) in RFC 6844 and approved for publication by the Internet Engineering Steering Group (IESG). Though the CAA record became standard in 2013, it was not mandatory. Now, since the passing of the ballot trusted CAs will have to honor this record from September 2017 or face sanctions.

The domain owner can now authorize and list the CAs who can issue SSL certs for their domain. This will help quicker detection of certificate miss issuances by unauthorized or compromised CAs. There have been cases of rogue employees issuing rogue SSL certificates. This has caused major security issues as SSL certificates are entities signifying trust. Mississued SSL certs lead to loss of user/website visitor’s trust in SSL certs and the websites.

This also affects the reputation of CAs who diligently follow the baseline requirements for certificate issuance as specified by the CA/Browser Forum. Some Certificate Authorities follow stringent issuance rules that exceed the requirements of the Forum. Basically, the aim is to make the internet a safe place. Bestowing trust in users so that they can visit websites with the confidence that they are visiting the actual website that they want to visit is necessary for the continued success of the Internet.

Under present rules, certificate authorities must validate any request for an SSL certificate from the domain controller or owner. For domain-validated certificates, the verification process is automated, that requires the domain controller to prove control over their domain. The authentication measures used in this process are quite simple and if a cybercriminal has been able to hack into a website then satisfying the domain validation requirements would be easy. The acquired SSL certificate is a potent weapon in the hands of hackers who can use it for “phishing page redirect” attacks and for MitM (man-in-the-middle) attacks.

The CAA record will carry two tags – an “issue” tag and an “iodef” tag. The domain owner can specify the CA authorized to issue SSL certs for their domain name through the “issue” tag. The “iodef” tag specifies an email address to which CAs must report suspicious SSL requests if they receive requests for domains that have been authorized for some other CA.

This endeavor would warn the domain owner of attempts being made by fraudulent entities to acquire SSL certificates for their domain.

Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL,SSL Certificate,SSL Security

Be Sociable, Share!

Leave a Comment


* fields are mandatory