Perimeter
8/24/2010
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

DNSSEC Will Drive Certificate Market

While DNNSEC will improve domain authentication, certificates still needed to verify the brand

With the landmark deployment of DNSSEC in the root a little over a month ago and the acceleration of top-level domains (TLDs) jumping onto the DNSSEC bandwagon through the end of this year and 2011, a big question remains: what does this protocol improvement mean for the digital certificate market?

DNSSEC offers essential changes to the Internet name space infrastructure that will enable future Internet architects to ensure that a domain is what it claims to be. But that doesn't mean certificates will fall by the wayside.

"Some people in our community believe that now with DNSSEC, certificate authorities don't matter anymore," says Dan Kaminsky, chief scientist for Recursion Ventures and the researcher best known for two years ago blowing the lid off a major DNS vulnerability that would enable attackers to easily perform cache poisoning attacks. "I tell you nothing could be further from the truth. Certificate authorities are now so much more important than they've ever been."

Russ Housley, chair of the Internet Engineering Task Force (IETF), concurs. "The DNS memory becomes a vector providing the authenticated integrity-protected path for these certificates," Housley says. "We'll be working in the future with that in mind. So I think you need to think of these as complements."

As Kaminsky explains, DNSSEC improves the ability of engineers to authenticate domains, but not necessarily brands. That's where certificates will continue to factor into the process.

"There are domains and there are brands and they are not in fact the same thing," he says. "DNS by its nature is an open name space, and as long as someone is not using a domain, you're allowed to register it and once you have that domain you can put whatever you want under it. That's how it works and no matter how much you kick and scream, nobody can say we're going to make it impossible for a name that looks like your bank to show up in the DNS. That's not something that is technically feasible."

Kaminsky points to extended validation SSL certificates as a perfect solution to this problem, as the certificate authorities (CAs) validate the true identity of the certificate holder, better authenticating the actual brand, rather than the domain. He says that DNSSEC is complementary to the extended validation certificates, fixing flaws that threatened the sanctity of this means of authentication.

"Last year Mike Zusman and Alexander Sotirov demonstrated that while extended validation certificates can do a tremendous amount of good, an attacker who has a non-extended certificate for the same name can actually interfere with the communication and get their malicious content to show up with a green bar and there was no fix possible then," he says. "Now with the root signed, DNSSEC can actually make assertions [that] this is the only certificate for this domain."

According to Jon Oltsik, security analyst for Enterprise Strategy Group, it may take time for organizations to truly recognize the complementary nature of DNSSEC and certificates so that it makes a sizeable bump in the market.

"I think over time DNSSEC really accelerates the certificate market, but I think in the short term people will do a lot of self-signing," Oltsik says. "It's likely to be a homegrown effort that will turn into a scalability mess and then into a market."

But growth in the certificate market is imminent, he says, and not just due to the adoption of DNSSEC--he cites other drivers such as IPSec, SOA, and Web services adoption as additional factors at play.

"I think DNSSEC is just one driver here," he says. "The market for certificates is going to continue to grow over the next few years."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1556
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php.

CVE-2014-2008
Published: 2014-09-12
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.

CVE-2014-2009
Published: 2014-09-12
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.

CVE-2014-4735
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php.

CVE-2014-5259
Published: 2014-09-12
Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant