CAA Checking Will Become Mandatory Later This Year
Certificate Authority Authorization Protects Domain Owners From Mis-Issuance.
Starting soon, new rules will make CAA checking mandatory.
Certificate Authority Authorization (CAA) is an optional security measure that website operators can use to protect their domain from mis-issuance. It allows domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for their websites.
CAA is configured as a DNS record. Domain owners who want to use CAA create a record with a list of the CAs that may issue certificates for them.
When any CA receives a certificate request, they then check the domain’s CAA record to see if they are an approved issuer. They must refuse to issue the certificate if they are not a listed CA. If a domain does not have a CAA record, then any CA is free to issue a certificate.
Starting September 8th, all CAs will be required to check and obey a domain’s CAA records. The CAB Forum approved this measure last month.
Why Make CAA Checking Mandatory?
One of the criticisms of the CA system is that any single CA has the ability to impact the security of the entire internet. Browsers ship around 100 root certificates – including roots owned by governments and obscure regional CAs.
Any one of these CAs could issue a certificate for your domain, and historically, smaller and less well-known CAs have been targets for hackers, or guilty of issuing certificates without proper validation.
While other measures – like Certificate Transparency and Name Constraints – now exist to reign in the power of these roots, CAA provides another line of defense to domain owners.
Currently, there are only a few hundred websites in the whole world using CAA (SSL Pulse has started tracking CAA deployment and reports 250 sites are using it). Adoption has been slowed by two obstacles:
- Prior to this ballot, CAA checking was optional, and therefore, not a real security measure. Sort of like writing “please do not steal” on the side of your car.
- CAA uses its own type of DNS record, which requires the DNS provider to add support for it.
With CAA checking now mandatory, that first obstacle has been taken care of. This should create significantly more interest from users to deploy CAA, and more incentive for providers to support it.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown