Perimeter
8/24/2010
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

DNSSEC Will Drive Certificate Market

While DNNSEC will improve domain authentication, certificates still needed to verify the brand

With the landmark deployment of DNSSEC in the root a little over a month ago and the acceleration of top-level domains (TLDs) jumping onto the DNSSEC bandwagon through the end of this year and 2011, a big question remains: what does this protocol improvement mean for the digital certificate market?

DNSSEC offers essential changes to the Internet name space infrastructure that will enable future Internet architects to ensure that a domain is what it claims to be. But that doesn't mean certificates will fall by the wayside.

"Some people in our community believe that now with DNSSEC, certificate authorities don't matter anymore," says Dan Kaminsky, chief scientist for Recursion Ventures and the researcher best known for two years ago blowing the lid off a major DNS vulnerability that would enable attackers to easily perform cache poisoning attacks. "I tell you nothing could be further from the truth. Certificate authorities are now so much more important than they've ever been."

Russ Housley, chair of the Internet Engineering Task Force (IETF), concurs. "The DNS memory becomes a vector providing the authenticated integrity-protected path for these certificates," Housley says. "We'll be working in the future with that in mind. So I think you need to think of these as complements."

As Kaminsky explains, DNSSEC improves the ability of engineers to authenticate domains, but not necessarily brands. That's where certificates will continue to factor into the process.

"There are domains and there are brands and they are not in fact the same thing," he says. "DNS by its nature is an open name space, and as long as someone is not using a domain, you're allowed to register it and once you have that domain you can put whatever you want under it. That's how it works and no matter how much you kick and scream, nobody can say we're going to make it impossible for a name that looks like your bank to show up in the DNS. That's not something that is technically feasible."

Kaminsky points to extended validation SSL certificates as a perfect solution to this problem, as the certificate authorities (CAs) validate the true identity of the certificate holder, better authenticating the actual brand, rather than the domain. He says that DNSSEC is complementary to the extended validation certificates, fixing flaws that threatened the sanctity of this means of authentication.

"Last year Mike Zusman and Alexander Sotirov demonstrated that while extended validation certificates can do a tremendous amount of good, an attacker who has a non-extended certificate for the same name can actually interfere with the communication and get their malicious content to show up with a green bar and there was no fix possible then," he says. "Now with the root signed, DNSSEC can actually make assertions [that] this is the only certificate for this domain."

According to Jon Oltsik, security analyst for Enterprise Strategy Group, it may take time for organizations to truly recognize the complementary nature of DNSSEC and certificates so that it makes a sizeable bump in the market.

"I think over time DNSSEC really accelerates the certificate market, but I think in the short term people will do a lot of self-signing," Oltsik says. "It's likely to be a homegrown effort that will turn into a scalability mess and then into a market."

But growth in the certificate market is imminent, he says, and not just due to the adoption of DNSSEC--he cites other drivers such as IPSec, SOA, and Web services adoption as additional factors at play.

"I think DNSSEC is just one driver here," he says. "The market for certificates is going to continue to grow over the next few years."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5619
Published: 2014-09-29
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.

CVE-2012-5621
Published: 2014-09-29
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings.

CVE-2012-6107
Published: 2014-09-29
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2012-6110
Published: 2014-09-29
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor.

CVE-2013-1874
Published: 2014-09-29
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.