Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday September 13 2017, @12:06PM   Printer-friendly
from the oh-did-that-start-today? dept.

Submitted via IRC for SoyCow1937

One day after the CAA (Certificate Authority Authorization) standard became obligatory on September 8, a German security researcher caught Comodo breaking the rules and issuing an SSL certificate it was not supposed to issue.

CAA allows website owners to specify what Certificate Authorities (CAs) are allowed to issue certificates in their name. Site owners can set up a CAA rule for their domain by adding a text field in DNS entries such as the one below:

bleepingcomputer.com. CAA 0 issue "symantec.com"

This small rule tells any Certificate Authority that only Symantec can issue SSL certificates for the BleepingComputer.com domain.

According to the rules of the CAA standard approved by the CA/Browser Forum in Ballot 187, this April, Certificate Authorities such as Comodo have to check a CAA field in DNS records before issuing new SSL certificates.

On Monday, German security researcher Hanno Böck shared with the infosec community that he managed to obtain an SSL certificate from Comodo — now revoked — for his own website, even if the CAA field limited SSL issuance only to Let's Encrypt.

Source: https://www.bleepingcomputer.com/news/security/comodo-caught-breaking-new-caa-standard-one-day-after-it-went-into-effect/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday September 13 2017, @03:00PM (2 children)

    by Anonymous Coward on Wednesday September 13 2017, @03:00PM (#567239)

    I use RFC 7168, you insensitive clod!

  • (Score: 2) by Thexalon on Wednesday September 13 2017, @06:43PM (1 child)

    by Thexalon (636) on Wednesday September 13 2017, @06:43PM (#567378)

    Nah, RFC 1149 [ietf.org] and its upgrades with QoS (RFC 2549 [ietf.org]) and IPv6 (RFC 6214 [ietf.org]) are better options. Very high bandwidth if you use it properly.

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 0) by Anonymous Coward on Wednesday September 13 2017, @07:20PM

      by Anonymous Coward on Wednesday September 13 2017, @07:20PM (#567403)

      Um, no, those RFCs do not allow high bandwidth:

      Avian carriers can provide high delay, low throughput, and low
            altitude service.

      ....
      The IP datagram is printed, on a small scroll of paper, in
            hexadecimal, with each octet separated by whitestuff and blackstuff.
            The scroll of paper is wrapped around one leg of the avian carrier.

      using something like an SD card violates RFC 1149.