ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    DNS record will help prevent unauthorized SSL certificates

    IT Discussion
    dns ssl
    4
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AmbarishrhA
      Ambarishrh
      last edited by

      DNS record will help prevent unauthorized SSL certificates. Starting in September, certificate authorities will be required to honor a new DNS record that specifies who is authorized to issue certificates for a domain.

      In a few months, publicly trusted certificate authorities will have to start honoring a special Domain Name System (DNS) record that allows domain owners to specify who is allowed to issue SSL certificates for their domains.

      The Certification Authority Authorization (CAA) DNS record became a standard in 2013 but didn't have much of a real-world impact because certificate authorities (CAs) were under no obligation to conform to them.

      The record allows a domain owner to list the CAs that are allowed to issue SSL/TLS certificates for that domain. The reason for this is to limit cases of unauthorized certificate issuance, which can be accidental or intentional, if a CA is compromised or has a rogue employee.

      Under existing industry rules created by the CA/Browser Forum, an organization that combines major browser vendors and CAs, certificate authorities must validate that requests for SSL certificates originate from domain owners themselves or from someone in control of those domains.

      This ownership verification is typically automated and involves asking the domain owner to create a DNS TXT record with a specific value or to upload authorization codes at a specific location in their site's structure, thus proving their control over the domain.

      However, hacking into a website could also give an attacker the ability to pass such verifications and request a valid certificate for the compromised domain from any certificate authority. Such a certificate could later be used to launch man-in-the-middle attacks against users or to direct them to phishing pages.

      http://www.infoworld.com/article/3188977/encryption/dns-record-will-help-prevent-unauthorized-ssl-certificates.html

      travisdh1T 1 Reply Last reply Reply Quote 5
      • travisdh1T
        travisdh1 @Ambarishrh
        last edited by

        I saw this yesterday. I'm hoping CloudFlare adds support for it soon, even tho it will be difficult for them to get it working properly with their service.

        1 Reply Last reply Reply Quote 0
        • StrongBadS
          StrongBad
          last edited by

          Not a bad idea, I guess. There is some security concern there. I would wonder how often this is really an issue. Is this common? Or just proactive?

          dafyreD 1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @StrongBad
            last edited by

            @StrongBad said in DNS record will help prevent unauthorized SSL certificates:

            Not a bad idea, I guess. There is some security concern there. I would wonder how often this is really an issue. Is this common? Or just proactive?

            I'm thinking a bit of both.

            1 Reply Last reply Reply Quote 1
            • 1 / 1
            • First post
              Last post