You probably have an SSL certificate for your domain (or certificates, or domains, or both!). After all, since Let’s Encrypt’s apparition in the SSL scene a few years ago, it is easier than ever to obtain an SSL certificate to allow secure communication between your server and your users.
Of course, protecting the communication is not the only advantage of an SSL certificate. Indeed, certificates also play a major role in proving the authenticity of the websites it covers.
In this regard, Let’s Encrypt plays the role of the Certificate Authority (CA), and will sign every certificate it grants to its users. This way, when you visit a specific website and want to make sure you’re not being spoofed, you can look at the signature on the certificate of the website you’re visiting. If you do not find a valid, trusted CA on that signature, then you can infer that there is something wrong with that certificate.
The principle is that you can trust the certificate authority, because no one else than them have access to their own certificate, hence no one else can make a valid certificate with their stamp of approval. Nowadays, most browsers or OSes include a list of the major (and trusted) CA, so you don’t have to do the verification yourself, helping you browse the web a bit more safely.
However, in the last years, another way to reinforce that identity through certificates has been developed: it’s the DNS Certification Authority Authorization (CAA) mechanism. With the DNS CAA, you can specify explicitly which CA is allowed to produce certificates for your website directly in your domain’s record!
By doing so, you can allow or disallow certain CA for your domains, reducing the chances that someone would use them to try and forge a certificate to spoof users onto its own server. The CAA is intended for CA to read, not end users, but since you know that the CA will have to respect CAA records when issuing new certificates, you can be a bit more sure that the certificates you see are really authentic and valid, hence heightening the trust you can have in the CA system.
Even though the CAA mechanism has been around for a while, since September 2017, the CAA now have to implement their check when issuing certificates, which means that all the above will start being a reality soon enough. This motion was adopted at the CAB, the CA/Browser Forum, with 94% of the CA in favour, and 100% of the browsers in favour.
So, don’t forget to update your CAA record (sooner than later!), and help make the web more secure!
Find us next week for a new tech article!