Skip to main content
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Home
  • Call Us
  • Call | 888.281.9449
  • Login
  • Search

This form logs you into your management portal account. To access your help desk account, click here and use the form to the right of the news.

  • Cloud Hosting
    • Cloud Hosting
    • Private Cloud
    • Hybrid Cloud
    • Public Cloud
    • Cloud Storage
      • Secure File Share
      • Wasabi Cloud Storage
    • Virtual Data Center Platform
  • Managed Hosting
    • Bare Metal Dedicated Servers
      • Deep Learning GPU Dedicated Servers
      • Linux Dedicated Servers
      • Windows Dedicated Servers
    • Virtual Private Servers
    • Data Center Colocation
      • Managed Colocation
      • Chicago: 350 E Cermak
      • Chicago: 725 S Wells
      • Edison, New Jersey
    • Security & Compliance
      • Managed Firewall
      • SSL VPN
      • DDoS Protection
      • Email Security
  • Backup & Disaster Recovery
    • Backup
    • Disaster Recovery
    • Veeam Backup & Replication
    • Veeam Cloud Connect
    • Wasabi Cloud Storage
  • Why Steadfast
    • Why Steadfast?
    • About Steadfast
      • Our History
      • News and Press
    • Data Centers & Network
      • Our Data Centers
      • Our Network
      • Network Test
      • Peering Policy
    • Customer Stories
    • Service Level Agreement
  • Industry Solutions
    • Managed Service Providers
    • Enterprise Solutions
    • Developers & Startups
    • Healthcare
    • Trading and Financial
      • Chicago Managed Trading Servers
      • Trading and Financial Colocation: Chicago & New Jersey
    • IBM AS/400 and iSeries Users
  • Support
    • Register
    • View Tickets
    • Submit a Ticket
    • Knowledgebase
    • News
  • Steadfast Blog
  • Steadfast Podcasts
  • Contact Us
Close
Return to All Blog Posts
Certificate Authority Authorization Records Can Make Your Sites More Secure

Certificate Authority Authorization Records Can Make Your Sites More Secure

October 4, 2017 in
Security

Certificate Authorities issue certificates that verify the identity of the entity behind a site or application. CAs play a vital role in online security and privacy, but the Certificate Authority system isn’t perfect.

Before certificates are issued, the Certificate Authority checks that the applicant is who they claim to be and that they control the domain specified in the application. But what’s to stop a Certificate Authority issuing a certificate to an entity that doesn’t have legitimate control of the domain? Recently, a spate of incorrectly issued certificates from incompetent or rogue CAs has shaken trust in the system.

Certificate Authority Authorizations are a type of DNS record intended to prevent Certificate Authorities issuing certificates to third-parties who do not have legitimate control of a domain. The CAA record can be used by a domain’s owner to specify which Certificate Authorities are authorized to issue certificates for that domain. A Certificate Authority that receives an application for a certificate for the domain can check the associated CAA record to verify that they are authorized to issue the certificate.

Imagine the following: a popular site is compromised by criminals, who gain the ability to publish content on the site’s domain. The criminals apply for a certificate for the domain to use in a phishing attack against the site’s users. The CA will require the criminals to verify that they control the domain by uploading a file containing a signature the CA recognizes to a particular URL. Because the criminals have compromised the site, they can upload the file and the Certificate Authority will issue the certificate.

Certificate Authority Authorization records are not new, but, until recently, checking for CAAs was voluntary. Certificate Authorities could choose whether to integrate CAA-checking into their validation processes. Some CAs have checked CAA records for years, but it wasn’t required and many CAs decided against using the records. But, as of September, CAA checking is mandatory. Browsers will not trust Certificate Authorities that ignore or fail to check CAA records.

CAAs give organizations a tool for communicating internal policies with regard to CA-use to the growing community of organizations with trusted root certificates in browsers and other applications. CAA records are a low-friction and easily checked mechanism for making it clear which CAs are authorized to issue certificates.

It’s worth noting that there is no obligation for domain owners to use CAA records. There are clear security advantages to using them, but if an organization doesn’t specify an authorized Certificate Authority in its domain’s DNS records, the CAs will simply perform their standard identity validation process and issue a certificate if warranted.

Adding CAA records isn’t a significant burden for domain owners, and there are obvious security benefits, so taking advantage of the extra protection is advisable.

Share This
facebook twitter email compact

Comments (0)

Leave a Comment

Get an image next to your comment by visiting Gravatar.com and uploading a profile photo that links to your address.

Search the Blog

Categories

backup
(1)
bare metal
(1)
Business Talk
(23)
Chicago
(11)
Chicago colocation
(1)
Cloud
(34)
cloud backup
(1)
cloud services
(2)
colocation
(4)
colocation services
(1)

Archives

  • August 2022 (1)
  • March 2022 (3)
  • October 2021 (1)
  • January 2021 (1)
  • July 2020 (1)
  • June 2020 (1)
  • April 2020 (1)
  • March 2020 (1)
  • August 2019 (1)
  • July 2019 (1)

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed
  • 312.602.2689
  • ColoHouse Sales
  • Facebook
  • Twitter
  • YouTube
  • LinkedIn

Services

  • Cloud Hosting
  • Managed Hosting
  • Backup & Disaster Recovery

Solutions By Industry

  • Enterprise Solutions
  • Trading & Financial
  • Healthcare
  • Developers & Startups
© 2023 Steadfast
  • Log In
  • Site Map
  • Legal Info & Privacy Policy