Compromised subdomains are becoming increasingly valuable amongst hackers and other cyber criminals in the darker corners of the internet. Why? Their value arises from their potential use in phishing schemes. Interestingly, these stolen subdomains can effortlessly bypass the traditional checks that are often taught to identify malicious sites. This is because, to the untrained eye, they appear legitimate, thus making them a formidable weapon in the hands of cybercriminals.
When we developed EZMonitor, our SSL certificate monitoring tool, our findings were incredibly alarming, to say the least. We found over 30,000 Azure-hosted subdomains susceptible to unauthorized takeovers. You read that right – over 30,000. Disturbingly, we noticed bad actors seizing these domains to launch attacks on unsuspecting consumers. To counteract this, we took a proactive approach – instead of leaving them exposed, we temporarily occupied these domains and reached out to the relevant companies to alert them to these vulnerabilities.
Of the multitude of organizations we came across during our discoveries and disclosures, two names stood out: Legoland and FedEx. Out of the thousands of entities we evaluated, these two were the only ones that effectively thwarted EZMonitor from obtaining an SSL Certificate for their site. Shocking, right? Their secret weapon against potential phishing attacks? CAA Records. This straightforward solution proved to be a potent defense mechanism, emphasizing its potential to be a significant deterrent against future phishing threats.
A Certification Authority Authorization (CAA) Record is a type of DNS record that serves as a protective measure for domain owners. CAA Records stipulate which CAs have permission to issue certificates for a given domain. The essence of this is to provide domain owners with the ability to control and dictate who can issue certificates on their behalf.
When any certificate authority compliant with the protocol receives a request to issue a certificate, it is required to check the CAA Record of the domain in question. If it is not explicitly authorized by the CAA Record, it must not only decline the request to issue a certificate, but it also must inform the domain’s contact about the attempted acquisition from a non-permitted CA.
It’s worth noting the dichotomy in how a CAA Record operates. When a CAA Record exists, only the CAs specifically listed within it can create certificates for the domain – it acts like a whitelist of trusted authorities. On the other hand, there’s an interesting caveat if a CAA Record does not exist. The system is designed to “fail open,” which means that, if no CAA Record is established for a domain, any CA is free to create certificates for it. This emphasizes the importance for domain owners to actively create CAA Records, ensuring that only trusted CAs can issue certificates for their domain.
CAA Records are so important because they act as gatekeepers for your domain’s security. They restrict which CAs can issue certificates for your domain, ensuring that only those CAs you trust can do so. Essentially, this minimizes the chances of unauthorized entities being issued certificates for your domain.
When set up correctly, CAA Records not only function as a safeguard, but also as a communication conduit (nice alliteration, right?). Should any unauthorized user attempt to issue a certificate for your domain, the CAA Record provides enough details for the CA to notify your organization. This proactive notification system can be positively invaluable, as it offers real-time insights into potential security threats, allowing you to take timely action and ward off potential cyberattacks.
Implementing a CAA Record is actually surprisingly simple to do! All that you need to do to add a CAA Record is add a DNS record of the type of CAA for each of the certificate authorities that you want to issue certificates for your domain. That’s it! If you want to see a detailed outline of what to do, check out our documentation here.
Implementing CAA Records is undeniably essential for organizations aiming to improve their domain’s security; however, only relying on CAA Records is not the be-all and end-all for the many challenges associated with SSL. Recognizing the intricacies and vulnerabilities associated with SSL, the Department of Homeland Security (DHS) requires that all federal agencies adopt additional safeguards. Specifically, the DHS promotes the use of CT Log monitors, such as EZMonitor. Such tools provide an added layer of protection, ensuring a more comprehensive and resilient defense against potential SSL-related threats.
To learn more about how EZMonitor can help protect your organization’s SSL infrastructure, schedule a FREE consultation with one of our PKI experts today!