Contact Us

How to Protect SSL Certificates From Unauthorized Issuance with CAA

How to stop attackers before they start with CAA records
08 Jan 2024

Anyone Can Issue SSL Certificates for Your Domain

Stolen subdomains are now a hot commodity on the black market since they can be used for phishing attacks, they pass all the tests we teach people to check to ensure it is not a phishing site. When we created EZMonitor we found over 30,000 Azure hosted subdomains vulnerable to takeover. Once we saw bad actors taking those domains to attack consumers, we decided to occupy the domains ourselves while we notified the companies that they were vulnerable.

During the creation of these sites, and disclosures there were two organizations that stood out: Legoland and FedEx. These two organizations were the only ones out of thousands that successfully blocked EZMonitor to get an SSL Certificate for their site. How did they do it? CAA Records, a simple solution that could prevent your next phishing attack.

What are CAA Records?

A Certification Authority Authorization (CAA) record is a DNS entry type that enable to limit which Certificate Authorities (CAs) are allowed to create certificates for your domain. Compliant Certificate Authorities must check if they are allowed to issue a certificate for your domain, and notify your contact if someone requests a certificate from an unauthorized CA.

If a CAA is present, only certificates from the listed CAs are allowed; however, CAA records fail open meaning that if no CAA record is present any CA can create certificates for the domain.

Why Are CAA Records Important?

CAA records limit the number of certificate authorities that can issue certificates for your domain to only CAs that you have a working relationship with and will probably not issue a certificate to someone else. If implemented properly, CAA records will give CAs enough information to contact your organization if an unauthorized user tries to issue a certificate for your domain, giving you information on possible attacks to mitigate.

How to Implement CAA Records

Adding CAA Records is very simple, all you have to do is add a DNS record of the type CAA for each of the CAs that should issue certificates for your domain get the full details in our documentation.

Are CAA Records a Silver Bullet?

While adding CAA records is a must for all organizations, it does not solve all SSL related problems. This is why the Department of Homeland Security still requires all Federal Agencies to have a Certificate Transparency monitor like EZMonitor.

Learn more about your current SSL health by booking an SSL Health analysis with one of our ex-Microsoft SSL experts today!

You Might Also Want to Read