Submitted via IRC for SoyCow1937
One day after the CAA (Certificate Authority Authorization) standard became obligatory on September 8, a German security researcher caught Comodo breaking the rules and issuing an SSL certificate it was not supposed to issue.
CAA allows website owners to specify what Certificate Authorities (CAs) are allowed to issue certificates in their name. Site owners can set up a CAA rule for their domain by adding a text field in DNS entries such as the one below:
bleepingcomputer.com. CAA 0 issue "symantec.com"
This small rule tells any Certificate Authority that only Symantec can issue SSL certificates for the BleepingComputer.com domain.
According to the rules of the CAA standard approved by the CA/Browser Forum in Ballot 187, this April, Certificate Authorities such as Comodo have to check a CAA field in DNS records before issuing new SSL certificates.
On Monday, German security researcher Hanno Böck shared with the infosec community that he managed to obtain an SSL certificate from Comodo — now revoked — for his own website, even if the CAA field limited SSL issuance only to Let's Encrypt.
(Score: 2) by Pino P on Wednesday September 13 2017, @03:45PM
DNSSEC was supposed to solve this by adding a chain of trust beginning at the root servers. DNSSEC enables DANE, a way of putting a public key in DNS that causes a browser to treat a self-signed certificate as domain-validated.
But DNSSEC failed to gain wide support for a couple reasons. First, the root zone signing key was 1024-bit until about a year ago [verisign.com], which wasn't strong enough for browser publishers. Second, some DNS hosting providers started to charge extra for DNSSEC. GoDaddy bundles basic DNS hosting with a domain, but DNSSEC requires the "Premium DNS" upsell.