A DNS record will help eliminate false SSL certificates


With the introduction of SSL and TLS, web browsing has been increasingly secure because certificates can verify whether a website to which we are connecting is secure or not, and can rest assured that the information we give to websites will be safe. More and more pages have HTTPS, and making it more and more secure is a prime task.

Certificates in a DNS Record

Therefore, in 2013, the DNS registration in the Certification Authority Authorization (CAA) became a standard, but it did not have much impact because CAs were not required to abide by its rules. This DNS record allows a domain owner to view the CA listing that can issue SSL or TLS certificates for a domain. Thanks to this method, many cases of issuing an unauthorized certificate are avoided. This can happen both accidentally and in the case of a corrupt worker.

Key-encryption-security under the current industry rules created by the CA / Browser Forum, CAs have to validate requests for SSL certificates that come from the domain owners themselves or from those who control those domains. This verification process is typically done automatically through a record that the domain owner uploads a text file with the DNS, or uses authorization codes to show that he actually has control over the domain.

The problem with these verification methods is that a hacker can take control of a web and pretend to be the real owner of the domain and obtain a certificate from any authority. Subsequently, a certificate can be used for man-in-the-middle attacks or for redirecting users to phishing pages to steal data.

Fight against false certificates

To limit this, the CAA registry will seek to limit who can issue certificates to a domain. For example, the following record means that Google authorizes Symantec to issue them for its primary domain.

In March it was approved that this registration is mandatory as of September 8, and the issuing authorities of certificates that do not comply with this, will be violating the laws of the industry and will risk receiving sanctions. In addition, domain owners must specify an e-mail address or a URL where the certificate issuing authority can report emission issues that go against the CAA policy.

For example, if an authority receives a request for a certificate for a domain that already has a registry that authorizes a different authority to issue certificates, the first authority must report suspicious activity at that email or specified address. The alert will reach the domain owner that someone is trying to obtain a certificate without their authorization. Although this is not a definitive way to end false certificates, it does constitute a new layer of defense against these.


Please enter your comment!
Please enter your name here