Certificate Authority Authorization Records Can Make Your Sites More Secure

Certificate Authorities issue certificates that verify the identity of the entity behind a site or application. CAs play a vital role in online security and privacy, but the Certificate Authority system isn’t perfect.

Before certificates are issued, the Certificate Authority checks that the applicant is who they claim to be and that they control the domain specified in the application. But what’s to stop a Certificate Authority issuing a certificate to an entity that doesn’t have legitimate control of the domain? Recently, a spate of incorrectly issued certificates from incompetent or rogue CAs has shaken trust in the system.

Certificate Authority Authorizations are a type of DNS record intended to prevent Certificate Authorities issuing certificates to third-parties who do not have legitimate control of a domain. The CAA record can be used by a domain’s owner to specify which Certificate Authorities are authorized to issue certificates for that domain. A Certificate Authority that receives an application for a certificate for the domain can check the associated CAA record to verify that they are authorized to issue the certificate.

Imagine the following: a popular site is compromised by criminals, who gain the ability to publish content on the site’s domain. The criminals apply for a certificate for the domain to use in a phishing attack against the site’s users. The CA will require the criminals to verify that they control the domain by uploading a file containing a signature the CA recognizes to a particular URL. Because the criminals have compromised the site, they can upload the file and the Certificate Authority will issue the certificate.

Certificate Authority Authorization records are not new, but, until recently, checking for CAAs was voluntary. Certificate Authorities could choose whether to integrate CAA-checking into their validation processes. Some CAs have checked CAA records for years, but it wasn’t required and many CAs decided against using the records. But, as of September, CAA checking is mandatory. Browsers will not trust Certificate Authorities that ignore or fail to check CAA records.

CAAs give organizations a tool for communicating internal policies with regard to CA-use to the growing community of organizations with trusted root certificates in browsers and other applications. CAA records are a low-friction and easily checked mechanism for making it clear which CAs are authorized to issue certificates.

It’s worth noting that there is no obligation for domain owners to use CAA records. There are clear security advantages to using them, but if an organization doesn’t specify an authorized Certificate Authority in its domain’s DNS records, the CAs will simply perform their standard identity validation process and issue a certificate if warranted.

Adding CAA records isn’t a significant burden for domain owners, and there are obvious security benefits, so taking advantage of the extra protection is advisable.