forked from SSLMate/caa_helper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathabout.xml
143 lines (122 loc) · 4.86 KB
/
about.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
<caa:page xmlns="http://www.w3.org/1999/xhtml" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:caa="http://xmlns.sslmate.com/caa" id="about">
<!--
Copyright (C) 2016-2017 Opsmate, Inc.
This Source Code Form is subject to the terms of the Mozilla
Public License, v. 2.0. If a copy of the MPL was not distributed
with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
This software is distributed WITHOUT A WARRANTY OF ANY KIND.
See the Mozilla Public License for details.
-->
<caa:title>About CAA</caa:title>
<caa:head>
</caa:head>
<caa:body>
<div class="about">
<h2>About CAA</h2>
<p>
There are over 100 organizations, called certificate authorities,
that can issue SSL certificates which vouch for the
identity of your domain. If a certificate authority misbehaves
and gives an attacker a certificate for your domain, the attacker can
impersonate your website and intercept the data of your visitors.
</p>
<p>
If you're like most domain owners, you
get your certificates from only a handful of certificate
authorities. CAA (Certificate Authority Authorization) is a type of DNS
record that lets you declare
which certificate authorities you actually use, forbidding the others
from issuing certificates for your domain.
</p>
<p>
Here are some reasons for you to use CAA:
</p>
<ul>
<li>
You want to reduce your risk from insecure certificate authorities.
You can use CAA to limit your domain to certificate authorities which
you trust not to issue unauthorized certificates.
</li>
<li>
You want to stop your employees from obtaining certificates from
unauthorized vendors.
</li>
</ul>
<p>
Setting up CAA is easy. Use the handy <a href=".">CAA generator</a>
to check off the certificate authorities which you authorize.
Then publish the generated DNS records in your domain's DNS.
Your domain needs to be hosted with a <a href="support">DNS provider
that supports CAA</a>. Fortunately, many major DNS providers now support CAA.
</p>
<p>
CAA is an IETF standard defined by
<a href="https://tools.ietf.org/html/rfc8659">RFC 8659</a>. As of September 8, 2017,
all public certificate authorities are required to respect CAA records. Before
issuing a certificate for a domain, they must check the domain for CAA
records, and refuse to issue if the CAA record set doesn't authorize them.
(If there is no CAA record, they are allowed to issue.)
</p>
<h3>CAA and Sub-domains</h3>
<p>
The CAA record set for a domain also applies to all sub-domains,
unless the sub-domain has its own CAA record set.
</p>
<p>
For example, before a certificate authority issues a certificate for www.example.com,
it will query domains for CAA record sets in the following order, and use the first
record set it finds:
</p>
<ol>
<li>www.example.com</li>
<li>example.com</li>
</ol>
<!--
<p>
For example, if there are CAA record sets for example.com and blog.example.com,
the example.com record set is consulted when issuing certificates for example.com and
www.example.com, and the blog.example.com record set is consulted when issuing certificates
for blog.example.com and www.blog.example.com.
</p>
-->
<h3>CAA and CNAME</h3>
<p>
If a domain name is a CNAME (also known as an alias) for another domain, then
the certificate authority looks for the CAA record set at the CNAME target
(just like any other DNS lookup). If no CAA record set is found,
the certificate authority continues searching parent domains of the original
domain name.
</p>
<p>
For example, if blog.example.com is a CNAME for blogprovider.example, then
the certificate authority looks for CAA record sets in the following order:
</p>
<ol>
<li>blogprovider.example</li>
<li>example.com</li>
</ol>
<p>
As with other DNS record types, it is not possible for a domain name to have
both a CNAME and a CAA record.
</p>
<h3>Limitations</h3>
<p>
A certificate authority that goes rogue or is totally compromised
can issue a certificate for your domain regardless of what CAA says. Also,
DNS records can be spoofed by a powerful attacker to trick a certificate authority
into thinking that it is authorized.
</p>
<p>
However, in practice CAA would have protected
domain owners from many of the recent security vulnerabilities
in certificate authorities. Publishing a CAA policy is a very
sensible security measure despite its limitations.
</p>
<p>
For added protection, use a Certificate Transparency monitor such as
<a href="https://sslmate.com/certspotter">Cert Spotter</a> to alert you if
a certificate is issued that violates your CAA policy.
</p>
</div>
</caa:body>
</caa:page>