In the past, I’ve written about my concerns regarding the long process of making the Internet safe and secure. While much progress has been made, it’s not coming at the speed that many hoped for.
Online applications, for years now, have been beholden to certification authorities — third-party entities that ensure a server holds a specific private key and publishes the corresponding public key. To make sure that your application is secure, you have to get your certificate authorized and recognized as secure. Many large institutions and government entities have their own certification authority, and some providers issue digital certificates at no cost. However, most commercial certification authorities charge for certificates that are automatically trusted by most Web browsers. The more ubiquitous a particular certification authority is, the greater the number of Web browsers, devices and applications that trust it. Symantec, Comodo, GoDaddy and GlobalSign are among the largest purveyors of SSL certificates.
However, what if you could automatically be recognized as secure because of the DNS? In other words, what if you could put your certificate into the DNS? What if you could turn on a Web browser and be secure right out of the box, without application vendors having to install certificates?
There would be two immediate results. One: the development process would be more efficient. Two: certification authorities would likely evolve toward a new business model, which could be beneficial to many people in many ways.
It could also result in a more secure Internet for all.
One of the most vexing topics is the ongoing delay in DNSSEC implementation. Once it’s fully deployed, Web browsers and other client applications can have built-in assurances that end-users are connected to the intended website or service indicated by the domain name the user typed.
Full DNSSEC deployment would serve as a foundation for the future of security technology, providing a critical layer of infrastructure from which new and innovative technologies will emerge since everything on the Internet uses DNS. To express the idea in terms of a physical community, you can’t build a skyscraper without a foundation that’s sturdier than the tower on top of it. All buildings must be built on a solid foundation.
Using the DNSSEC infrastructure to manage certificates improves the attaching of public keys to DNS names. Why? Because the entities that vouch for the binding of public key data to a DNS name would be the same ones who are responsible for managing the DNS name in question.
I’m not alone in my view. Within the Internet Engineering Task Force (IETF), there is a working group dedicated to the issue of DNS Authenticated Named Entities (DANE). The goal of DANE is to help create a direct interaction between a client (like a PC or mobile device) and the secure domain with which it interacts — no third parties required. But the goal of DANE is dependent on the deployment of DNSSEC. At present, DANE can be deployed in conjunction with the current system of certificates and authorities to better protect domains. However, the long-term vision is that DANE will enable domain registries to vouch for — to certify — their own domain names.
While the DANE working group should be applauded for its progress, we’re not yet near delivering on the promise of DANE. On the plus side, there are prototype deployment tools. The documentation is maturing and progressing. And on the client side, a variant of DANE has been implemented in Google Chrome. For the server side of the equation, prototype tools that generate DANE records and DNSSEC-stapled certificates based on DANE records are available.
An opportunity to create a safer, more secure Internet is staring us in the face. The foundation for that, of course, is DNSSEC, with DANE constituting a critical first step.
If you’d like to contribute to the effort of making the Internet a better place, I urge you to lend your voice to the call for full deployment of DNSSEC. It’s an important step, and it’s one we can all take together.
