CAA makes it mandatory to verify SSL issued
As on September 8th 2017, it is now mandatory for the Certifying Authorities to verify the CAA record before issuing the SSL Certificate as directed by Certification Authority Authorization. The sole purpose is to tackle the menace of Fraudulent SSL Certificate generation. CAA standard has been defined in RFC6844
What is CAA?
Certification Authority Authorization(CAA) is an Industry Standard, which allows the Domain Owners to specify which Certifying Authorities (CA) is allowed to issue certificates for their domains. The intention of this is to allow the CAs to avoid mis-issuing of certificates and is an added checking/verification process in their Certificate Issuing Procedures.
Before any certificate is issued, the CA would verify the CAA record to check for its own existence in it and would block any request in case they are not listed.
How to use CAA?
The Domain owner has to publish Certification Authority Authorization(CAA) records the Domain’s DNS specifying the
1. List of CAs authorized to issue SSL certificates for that domain.
2. Policies for the entire domain or for specific hosts
3. Single-Name Certificates, Wildcard Certificates or both can also be
Why use CAA?
There have been numerous instances in the past wherein, Certifying Authorities were hacked and fraudulent certificates were issued. Furthermore, in our previous blog-posts too we had raised concerns about the lack of verification and decentralized structure of the CAs which allowed any CA to blatantly issue SSL Certificates on behalf of any domain. Due to this issue, it was of utmost importance to provide a control and verification method of the domain owners to provide and share information with the CAs so that CAs themselves are aware whether or not they are allowed to issue the certificate or not.
It is now the prerogative of the Domain Owners to provide CAA information in case they are using Certificate and it would be the responsibility of the CAs to validate each and every request.
List of DNS Servers Implementing CAA
Although, Certification Authority Authorization(CAA) is fairly new Standard hence, there are very few DNS Servers which provide support for the addition of CAA records.
BIND Yes Prior to version 9.9.6 use RFC 3597 syntax
Knot DNS ≥2.2.0
NSD Yes Prior to version 4.0.1 use RFC 3597 syntax
OpenDNSSEC Yes With ldns ≥1.6.17
PowerDNS ≥4.0.0 Versions 4.0.3 and below are buggy when DNSSEC is enabled.
Simple DNS Plus ≥6.0
tinydns Yes Use generic record syntax
Windows Server 2016 Yes Use RFC 3597 syntax
Domain Owners may check with their respective Domain Registration Service Providers whether they provide addition of CAA records in their DNS Configuration Panel.
In order to create CAA Record, domain owners may visit https://sslmate.com/caa/
How to Verify CAA?
The two of the most popular tools used for looking up DNS records are “dig” and “nslookup”, and both these tools use the “type257” as the query parameter for the CAA.
$ dig google.com type257
;; ANSWER SECTION:
google.com. 86399 IN TYPE257 # 19 0005697373756573796D616E7465632E636F6D
google.com. 86399 IN TYPE257 # 15 00056973737565706B692E676F6F67
> set q=type257
google.com rdata_257 = # 19 0005697373756573796D616E7465632E636F6D
google.com rdata_257 = # 15 00056973737565706B692E676F6F67
However, these tools are yet to implement CAA record lookup, hence with these tools, you may summarize that there exists a CAA record.
One may visit our domain tools section to lookup for CAA records
;; ANSWER SECTION:
google.com. 86399 IN CAA 0 issue "pki.goog"
A complicated CAA Record by hboeck.de
;; ANSWER SECTION:
hboeck.de. 3599 IN CAA 0 issue "letsencrypt.org"
hboeck.de. 3599 IN CAA 0 issuewild ";"
hboeck.de. 3599 IN CAA 0 iodef "https://int21.de/caa/"
hboeck.de. 3599 IN CAA 0 iodef "mailto:email@example.com"
Threat Attack Scenarios
With the implementation of CAA the footprint of the attack surface reduces and shifts towards the addition of CAA records by the Domain Owners
1. Non-Compliance of adding CAA Records in the DNS by Domain Owners
2. Compromised DNS Panel of the Domain Owner
eScan is an ISO (27001) certified pure-play enterprise security solution company with over 2 decades of expertise in developing IT security solutions. eScan today has a presence in 12 countries through its offices and subsidiaries. It also boasts of a robust channel partner network of more than 50, 000 partners spread across 190 countries worldwide. It is trusted by more than 6,500 enterprise and corporate users spread across various industry segments such as Government, BFSI, Education, Defense, Telecom, IT & ITeS, Infrastructure, Hospitality, and Healthcare worldwide.
It is powered by some of the latest and innovative technologies, such as Proactive Behavioral Analysis Engine (PBAE) Technology, MicroWorld Winsock Layer (MWL) Technology, Domain & IP Reputation Check (DIRC) Technology, Non-Intrusive Learning Pattern (NILP) Technology, and sophisticated Anti-Virus Heuristic Algorithms that not only provide protection from current threats, but also provides proactive protection against the ever-evolving cyber threats. eScan provides 24x7 free remote support facility to help its esteemed users to provide real-time solutions for security-related issues.
For more information, visit www.escanav.com
39555 Orchard Hill Place, Suite 600
Novi, MI 48375
This release was published on openPR.
Permanent link to this press release:
Please set a link in the press area of your homepage to this press release on openPR. openPR disclaims liability for any content contained in this release.
You can edit or delete your press release CAA makes it mandatory to verify SSL issued here
News-ID: 734146 • Views: 176
More Releases from MicroWorld Technologies Inc.
MicroWorld to launch Nemasis at the 39th Gitex Technology week
Leading cyber security giant, Microworld have announced the unveiling of their new cyber security solution, Nemasis (VAPT) at the 39th edition of Gitex Technology week, which is to be held at the World Trade Center in Dubai from the 6th to the 10th of October 2019. MicroWorld along with its seniority team can be located at the SR F1 booth at the Sheik Rashid Hall. Nemasis is a vulnerability management
eScan delights its channel partners with a trip to Pattaya
eScan, one of the leading anti-virus solution developers had launched an offer to reward its channel partners with 2 nights and 3 days trip to Pattaya. The offer was launched exclusively for Southern region and about 70 partners from the region had been to the destination. The 2 Nights/3 Days luxury outing to Pattaya was packed with tranquil sightseeing that included a visit to Coral Island that offers plenty of water
eScan products receive 100% clean certificate from Softpedia
eScan’s Internet Security Suite (ISS) for Windows and eScan’s Anti-Virus (AV) have received the coveted 100% clean certificate from Softpedia among its peers. The tests were conducted on both products in the Softpedia labs in April 2018. The results showed that eScan’s ISS for Windows and eScan’s AV do not contain any form of malware, including but not limited to: spyware, viruses, trojans and backdoors. These products were tested thoroughly
eScan’s ISS for Windows achieves VB 100 Test Certificate
eScan has successfully cleared Virus Bulletin’s VB100’s comparative review test for its eScan Internet Security Suite (ISS) for Windows. The test, in February 2018, was conducted on Windows 7 and 10 Professional. eScan Internet Security Suite proved its capability of providing advanced protection against malware listed by WildList Organization with the RAP score of 92.1% and Zero False Positives. Virus Bulletin is a world-renowned independent testing and certification body, in
More Releases for CAA
Kris Kourtis Retires at 35
World famous billionaire Kris Kourtis Retires at 25. His work, his dedication, his love for the human race will not be forgotten. It has been a long 20 years. This is a quote that Kris left for us to savor. ' I am eternally grateful for all the love and support I have gotten through out the years. My job now Is to help the UN. I only wish love
Kris Kourtis is suing CD Baby for 20 Millions Dollars for false advertising.
Kris Kourtis is suing cdbaby.com for 20 millions Because his audio (The Best Self-help Book) was not distributed to iTunes and Amazon. The defence of CD Baby is that they don't work with them anymore when it clearly states on there website that they do deliver to Amazon and iTunes. Kris is set to appear on Nancy Grace to talk about the lawsuit. Spokesperson of Kris Kris Kourtis, Brian Shapiro stated Today in
Ceramics Annual of America Art Fair and Exhibition: Celebrating Diversity and Qu …
The 4th Ceramics Annual of America: Exhibition and Art Fair at Civic Center, San Francisco, California October 19-20 2013 9:00am-7:00pm Contact: Nancy Resler Telephone: (415) 558-1688 Email: firstname.lastname@example.org Site: http://ceramicsannual.org/ Witness A Unique Experience: Ceramic Sculpture from Around the World The Ceramics Annual of America (CAA) is the only event of its kind in the United States and the goal is to encourage the education and enrichment of the public, cultivate a fertile art market, and foster dialog
Psychological Test and Assessment Modeling: Cognitive analytical approach introd …
With the increased interest in student-level diagnostic information from multiple performance assessments, it becomes possible to create multivariate classifications of knowledge, skills and abilities. Dres. Robert W. Lissitz and Feifei Li (University od Maryland/USA) propose a systematic, multivariate and non-compensating standard setting approach for performance assessment with complex tasks. The paper reg. "cognitive analytical approach" (CAA) appeared in Psychological Test and Assessment Modeling (formerly Psychology Science/Psychologische Beiträge). "Cognitive analytical approach
CAA-Quebec Launches an Added-Value Online Trip Planner Developed by multiple med …
multiple-media.com is proud to announce that CAA-Quebec has just added to its website an all-new trip planner - planificateurdevoyage. caaquebec.com/caa-ttp/ (French only) based on a user-friendly application developed by the Montreal web agency. This tool offers travelers a wealth of relevant information as well as exclusive information about CAA-Quebec partners, and it allows caaquebec.com visitors to access added-value travel routes for Canada and the United States with indications in
Aexio Expands Presence in Indonesia Through Partnership With Leading Indonesian …
Aexio Software (aexio.com) has signed a successful agreement with Indonesia’s leading RF solutions company PT. Cahaya Arif Abadi (CAA) to deliver optimization solutions to the latter’s clients in Indonesia. “Aexio’s world-class tools will assist Indonesia’s telco operators to bring about the highly desired paradigm shift from “coverage oriented” to “quality oriented”. This move is also In line with a new regulation enforced by the Indonesian government