Website owners urged to adopt new HTTPS certificate checking options

Certificate authorities and browser makers vote to make new certification checks mandatory

For a few years now the CA/Browser Forum, a voluntary group of certification authorities (CAs), browser vendors and software vendors that use SSL/TLS encryption, has been endorsing Certificate Authority Authorization (CAA), an extra set of fields that can be added to DNS records, which was originally recommended by the Internet Engineering Task Force (IETF) in 2013. It has now voted for CAs to be forced to check for CAA before issuing a certificate.

Digital certificates provide independent verification of the authenticity and ownership of a domain in order to prevent attackers from impersonating a supposedly secure website. However, they rely upon the competence and honesty of third-party certificate authorities. A series of recent events showing poor practice, including by one of the largest providers Symantec, has rattled the industry.

Last month the Forum voted to make these changes mandatory. This means that prior to issuing an HTTPS certificate, CAs will be required to check the CAA to determine whether the request for a certificate is valid.

Seventeen out of 19 CAs as well as all three browser vendors represented (Mozilla, Apple and Google) voted to make checking for the new fields mandatory by 8th September 2017.

"The intent of this motion is to make it mandatory for CAs to check CAA records at issuance time for all certificates issued (except in a few special cases), and to prevent issuance if a CAA record is found which does not permit issuance by that CA," notes the CA/Browser Forum website.

"This therefore allows domain owners to set an issuance policy which will be respected by all publicly-trusted CAs, and allows them to mitigate the problem that the public CA trust system is only as strong as its weakest CA."

The CAA provides a number of options that allow the site owner to improve security, preventing HTTPS certificates to be issued by untrustworthy or potentially fraudulent CAs. The new checks are in addition to the current domain name verification process.

Domain owners are not obliged to set the new fields in their DNS records, but they are advised to do so in order to add an extra level of protection against anyone who might seek to impersonate their servers.

The extra fields include restricting the CAs that can grant a certificate.

some-domain.com.  IN  CAA  0 issue "comodo.com"

In this example only Comodo may issue a certificate.

some-domain.com. IN  CAA  0 issuewild ";"

Here no CA can issue a certificate as issuewild is a wildcard and ";" an empty set.

some-domain.com. IN  CAA  0 iodef mailto:[email protected]

And in the third example if someone who is not the domain owner someone tries to request an HTTPS certificate the website owner will be sent an email alert. The full range of controls available is set out in ITEF RFC 6844.

The move to tighten up HTTPS security comes after Symantec, one of the largest CAs in the world, was accused for the second time in two years of wrongly issuing a series of digital certificates. It was found that a number of Symantec-sourced certificates had not been authorised by ICANN, while another batch appeared to be "test" certificates that probably covered domains owned by cyber squatters.

Symantec was one of the CAs that voted for CAA checking to become mandatory.

Other examples of poor issuance practice include StartCom's StartEncrypt tool which was found to enable attackers to obtain SSL certificates for domains they didn't own, and LetsEncrypt certificates being issued to PayPal phishing sites.

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!