Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Adding Digital Certificates to the Core of the Internet

In the past, I’ve written about my concerns regarding the long process of making the Internet safe and secure. While much progress has been made, it’s not coming at the speed that many hoped for.

In the past, I’ve written about my concerns regarding the long process of making the Internet safe and secure. While much progress has been made, it’s not coming at the speed that many hoped for.

Online applications, for years now, have been beholden to certification authorities — third-party entities that ensure a server holds a specific private key and publishes the corresponding public key. To make sure that your application is secure, you have to get your certificate authorized and recognized as secure. Many large institutions and government entities have their own certification authority, and some providers issue digital certificates at no cost. However, most commercial certification authorities charge for certificates that are automatically trusted by most Web browsers. The more ubiquitous a particular certification authority is, the greater the number of Web browsers, devices and applications that trust it. Symantec, Comodo, GoDaddy and GlobalSign are among the largest purveyors of SSL certificates.

SSL Certificates in Internet InfrastructureHowever, what if you could automatically be recognized as secure because of the DNS? In other words, what if you could put your certificate into the DNS? What if you could turn on a Web browser and be secure right out of the box, without application vendors having to install certificates?

There would be two immediate results. One: the development process would be more efficient. Two: certification authorities would likely evolve toward a new business model, which could be beneficial to many people in many ways.

It could also result in a more secure Internet for all.

One of the most vexing topics is the ongoing delay in DNSSEC implementation. Once it’s fully deployed, Web browsers and other client applications can have built-in assurances that end-users are connected to the intended website or service indicated by the domain name the user typed.

Full DNSSEC deployment would serve as a foundation for the future of security technology, providing a critical layer of infrastructure from which new and innovative technologies will emerge since everything on the Internet uses DNS. To express the idea in terms of a physical community, you can’t build a skyscraper without a foundation that’s sturdier than the tower on top of it. All buildings must be built on a solid foundation.

Using the DNSSEC infrastructure to manage certificates improves the attaching of public keys to DNS names. Why? Because the entities that vouch for the binding of public key data to a DNS name would be the same ones who are responsible for managing the DNS name in question.

I’m not alone in my view. Within the Internet Engineering Task Force (IETF), there is a working group dedicated to the issue of DNS Authenticated Named Entities (DANE). The goal of DANE is to help create a direct interaction between a client (like a PC or mobile device) and the secure domain with which it interacts — no third parties required. But the goal of DANE is dependent on the deployment of DNSSEC. At present, DANE can be deployed in conjunction with the current system of certificates and authorities to better protect domains. However, the long-term vision is that DANE will enable domain registries to vouch for — to certify — their own domain names.

Advertisement. Scroll to continue reading.

While the DANE working group should be applauded for its progress, we’re not yet near delivering on the promise of DANE. On the plus side, there are prototype deployment tools. The documentation is maturing and progressing. And on the client side, a variant of DANE has been implemented in Google Chrome. For the server side of the equation, prototype tools that generate DANE records and DNSSEC-stapled certificates based on DANE records are available.

An opportunity to create a safer, more secure Internet is staring us in the face. The foundation for that, of course, is DNSSEC, with DANE constituting a critical first step.

If you’d like to contribute to the effort of making the Internet a better place, I urge you to lend your voice to the call for full deployment of DNSSEC. It’s an important step, and it’s one we can all take together.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet