Hello, welcome to the Monday, November 2, 2020 edition of the Sandtonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

On Friday, Xavier took a look at the adoption rate for the CAA DNS record.

The CAA is short for certification authority authorization, and it essentially tells

certifications if they are authorized to issue certificates on behalf of the domain.

Now, whenever we talk about TLS vulnerabilities, we often get lost in these highly technical weaknesses in the TLS protocol, which actually are hardly ever exploited.

On the other hand, there have been a number of high-profile issues with certificate authorities being tricked to issue a certificate for a particular domain without

actually properly verifying that request.

So the CIA record in that sense is actually preventing some real attacks in that a

certificate authority will first check that record to make sure that it is authorized to issue

the certificate and it will otherwise reject to issue a certificate. So this record is not

checked by browsers as they verify a certificate. It's only checked by certificate authorities.

Well, some of the bad news here, not a lot of domains are using it.

Xavier only found 3% of Alexa's top 1 million domains using a CIA record.

I believe one reason why organizations are hesitant in using the CIA record is that they often, in addition to

self-hosted websites and certificates are taking advantage of con-delivery networks or CDNs.

And these CDNs will now request certificates on behalf of that organization. And then of course you need to include

whatever certificate authority the CDN is using, which may not always be that clear. And then you

have sort of again that trade-off between a denial of service or a potential machine in the middle attack with

someone issuing a bad certificate. Another issue, of course, and I'm not sure how widespread

that still is these days, but there have been some domain registrars that had no provision

...