HTTPS lock

Last week, the CA/Browser Forum voted to implement CAA mandatory checks before the issuance of new SSL/TLS certificates, as a measure to prevent the misissuance of HTTPS certificates.

According to CA/Browser Forum ballot 187, 100% of all browser makers and 94% of all certificate authorities voted to implement CAA mandatory checks starting September 8, 2017.

CAA stands for Certificate Authority Authorization and is a new extra field that can be added to DNS records, as approved by the Internet Engineering Task Force (IETF) via RFC 6844.

CAA records are the best thing since sliced bread

According to the new CAA checking procedure approved by the CA/Browser Forum, the organization that oversees HTTPS certificate issuance operations, certificate authorities (CAs) must check the CAA field in the DNS record for the domain for which a customer asks a new certificate for.

Domain owners can leave instructions in the CAA field to prevent rogue actors from requesting SSL/TLS certificates in their domains. For example:

bleepingcomputer.com. CAA 0 issue "comodo.com"

This CAA field tells a certificate authority that only Comodo can issue certificates for this particular domain. An unauthorized third party trying to register a obtain an SSL/TLS certificate for the bleepingcomputer.com domain via Symantec or Let's Encrypt will be denied.

CAA fields can be used as alerts

Multiple CAA fields can be added to a domain's DNS record. For example, the following CAA field tells the CA to send an email to the website owner's address if a third-party tries to request a certificate for a domain which he's not authorized.

bleepingcomputer.com. CAA 0 iodef "mailto:contact@bleepingcomputer.com"

The email stands as warning that someone is trying to request HTTPS certificates for a site that he doesn't own and that the website owner should start an investigation and look into the matter.

The iodef property also supports URL endpoints, which could log attempts to register HTTPS certs at other CAs.

bleepingcomputer.com. CAA 0 iodef "http://bleepingcomputer.com/fraud-log/"

If a site uses multiple subdomains, CAA records can also limit bad actors from requesting HTTPS certificates for any of them.

downloads.bleepingcomputer.com. CAA 0 issue "comodo.com"
news.bleepingcomputer.com. CAA 0 issue "symantec.com"
forum.bleepingcomputer.com. CAA 0 issue "letsencrypt.org"

Additionally, even if using wildcard certificates is considered bad practice, CAA records can be used to limit the issuance of these certificates only to one CA, in this case, Comodo.

bleepingcomputer.com. CAA 0 issuewild "comodo.com"

No CAA field means a free-for-all

The CA/Browser forum ballot 187 forces Certificate Authorities to verify CAA DNS records before issuing a new HTTPS certificate, but does not force domain owners to create them.

If a website owner doesn't include CAA details with his site's DNS records, this tells CAs that any of them can issue certificates.

As such, it is recommended that website owners add CAA entries to their DNS records before September 8, when CAA checking becomes mandatory, as this will surely stop bad actors from getting their hands on HTTPS certificates he can use to impersonate your site.