Perimeter
8/24/2010
02:46 PM
Connect Directly
RSS
E-Mail
50%
50%

DNSSEC Will Drive Certificate Market

While DNNSEC will improve domain authentication, certificates still needed to verify the brand

With the landmark deployment of DNSSEC in the root a little over a month ago and the acceleration of top-level domains (TLDs) jumping onto the DNSSEC bandwagon through the end of this year and 2011, a big question remains: what does this protocol improvement mean for the digital certificate market?

DNSSEC offers essential changes to the Internet name space infrastructure that will enable future Internet architects to ensure that a domain is what it claims to be. But that doesn't mean certificates will fall by the wayside.

"Some people in our community believe that now with DNSSEC, certificate authorities don't matter anymore," says Dan Kaminsky, chief scientist for Recursion Ventures and the researcher best known for two years ago blowing the lid off a major DNS vulnerability that would enable attackers to easily perform cache poisoning attacks. "I tell you nothing could be further from the truth. Certificate authorities are now so much more important than they've ever been."

Russ Housley, chair of the Internet Engineering Task Force (IETF), concurs. "The DNS memory becomes a vector providing the authenticated integrity-protected path for these certificates," Housley says. "We'll be working in the future with that in mind. So I think you need to think of these as complements."

As Kaminsky explains, DNSSEC improves the ability of engineers to authenticate domains, but not necessarily brands. That's where certificates will continue to factor into the process.

"There are domains and there are brands and they are not in fact the same thing," he says. "DNS by its nature is an open name space, and as long as someone is not using a domain, you're allowed to register it and once you have that domain you can put whatever you want under it. That's how it works and no matter how much you kick and scream, nobody can say we're going to make it impossible for a name that looks like your bank to show up in the DNS. That's not something that is technically feasible."

Kaminsky points to extended validation SSL certificates as a perfect solution to this problem, as the certificate authorities (CAs) validate the true identity of the certificate holder, better authenticating the actual brand, rather than the domain. He says that DNSSEC is complementary to the extended validation certificates, fixing flaws that threatened the sanctity of this means of authentication.

"Last year Mike Zusman and Alexander Sotirov demonstrated that while extended validation certificates can do a tremendous amount of good, an attacker who has a non-extended certificate for the same name can actually interfere with the communication and get their malicious content to show up with a green bar and there was no fix possible then," he says. "Now with the root signed, DNSSEC can actually make assertions [that] this is the only certificate for this domain."

According to Jon Oltsik, security analyst for Enterprise Strategy Group, it may take time for organizations to truly recognize the complementary nature of DNSSEC and certificates so that it makes a sizeable bump in the market.

"I think over time DNSSEC really accelerates the certificate market, but I think in the short term people will do a lot of self-signing," Oltsik says. "It's likely to be a homegrown effort that will turn into a scalability mess and then into a market."

But growth in the certificate market is imminent, he says, and not just due to the adoption of DNSSEC--he cites other drivers such as IPSec, SOA, and Web services adoption as additional factors at play.

"I think DNSSEC is just one driver here," he says. "The market for certificates is going to continue to grow over the next few years."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.