Comments on: A Risk-Based Look at Fixing the Certificate Authority Problem

By: roryalsop

roryalsop — Tue, 06 Sep 2011 15:13:33 +0000

Hi Chris - yes there isn't a single cure, unfortunately, so I think we will see a number of partial solutions implemented... It's not clean, but the options do manage the different risk profiles.

By: Chris Mankowski

Chris Mankowski — Mon, 05 Sep 2011 14:13:33 +0000

Please disregard that last comment. According to the links below, DNS vulnerabilities and CA vulnerabilities have overlapping threat models. DNSSec is essential for “risky configurations” which include Wifi configurations, SoHo routers, or for whenever there is an active intermediary.

http://security.stackexchange.com/questions/6827/h

http://security.stackexchange.com/questions/6824/c

By: Chris Mankowski

Chris Mankowski — Sun, 04 Sep 2011 16:13:44 +0000

Although DNSSec is the ideal direction, the time and cost of implementing this will leave this vulnerability out in the open for way too long.

A more immediate solution to this problem could be simply listing the valid CA thumbprints in a corresponding TXT record per website. This thinking is very similar to how SPF records are used to prevent email spoofing. In this context, we're preventing CA spoofing and leaving the burden/responsibility of security on the network admin.

For example, if a browser queries "www.google.com" I get an address. Then if SSL is being used, the browser issues a TXT query for "www.google.com". That response will include a list of permitted Intermediate CAs.