Connect with us

Hi, what are you looking for?


Network Security

Adding Digital Certificates to the Core of the Internet

In the past, I’ve written about my concerns regarding the long process of making the Internet safe and secure. While much progress has been made, it’s not coming at the speed that many hoped for.

In the past, I’ve written about my concerns regarding the long process of making the Internet safe and secure. While much progress has been made, it’s not coming at the speed that many hoped for.

Online applications, for years now, have been beholden to certification authorities — third-party entities that ensure a server holds a specific private key and publishes the corresponding public key. To make sure that your application is secure, you have to get your certificate authorized and recognized as secure. Many large institutions and government entities have their own certification authority, and some providers issue digital certificates at no cost. However, most commercial certification authorities charge for certificates that are automatically trusted by most Web browsers. The more ubiquitous a particular certification authority is, the greater the number of Web browsers, devices and applications that trust it. Symantec, Comodo, GoDaddy and GlobalSign are among the largest purveyors of SSL certificates.

SSL Certificates in Internet InfrastructureHowever, what if you could automatically be recognized as secure because of the DNS? In other words, what if you could put your certificate into the DNS? What if you could turn on a Web browser and be secure right out of the box, without application vendors having to install certificates?

There would be two immediate results. One: the development process would be more efficient. Two: certification authorities would likely evolve toward a new business model, which could be beneficial to many people in many ways.

It could also result in a more secure Internet for all.

One of the most vexing topics is the ongoing delay in DNSSEC implementation. Once it’s fully deployed, Web browsers and other client applications can have built-in assurances that end-users are connected to the intended website or service indicated by the domain name the user typed.

Full DNSSEC deployment would serve as a foundation for the future of security technology, providing a critical layer of infrastructure from which new and innovative technologies will emerge since everything on the Internet uses DNS. To express the idea in terms of a physical community, you can’t build a skyscraper without a foundation that’s sturdier than the tower on top of it. All buildings must be built on a solid foundation.

Using the DNSSEC infrastructure to manage certificates improves the attaching of public keys to DNS names. Why? Because the entities that vouch for the binding of public key data to a DNS name would be the same ones who are responsible for managing the DNS name in question.

Advertisement. Scroll to continue reading.

I’m not alone in my view. Within the Internet Engineering Task Force (IETF), there is a working group dedicated to the issue of DNS Authenticated Named Entities (DANE). The goal of DANE is to help create a direct interaction between a client (like a PC or mobile device) and the secure domain with which it interacts — no third parties required. But the goal of DANE is dependent on the deployment of DNSSEC. At present, DANE can be deployed in conjunction with the current system of certificates and authorities to better protect domains. However, the long-term vision is that DANE will enable domain registries to vouch for — to certify — their own domain names.

While the DANE working group should be applauded for its progress, we’re not yet near delivering on the promise of DANE. On the plus side, there are prototype deployment tools. The documentation is maturing and progressing. And on the client side, a variant of DANE has been implemented in Google Chrome. For the server side of the equation, prototype tools that generate DANE records and DNSSEC-stapled certificates based on DANE records are available.

An opportunity to create a safer, more secure Internet is staring us in the face. The foundation for that, of course, is DNSSEC, with DANE constituting a critical first step.

If you’d like to contribute to the effort of making the Internet a better place, I urge you to lend your voice to the call for full deployment of DNSSEC. It’s an important step, and it’s one we can all take together.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...