Perimeter
8/24/2010
02:46 PM
50%
50%

DNSSEC Will Drive Certificate Market

While DNNSEC will improve domain authentication, certificates still needed to verify the brand

With the landmark deployment of DNSSEC in the root a little over a month ago and the acceleration of top-level domains (TLDs) jumping onto the DNSSEC bandwagon through the end of this year and 2011, a big question remains: what does this protocol improvement mean for the digital certificate market?

DNSSEC offers essential changes to the Internet name space infrastructure that will enable future Internet architects to ensure that a domain is what it claims to be. But that doesn't mean certificates will fall by the wayside.

"Some people in our community believe that now with DNSSEC, certificate authorities don't matter anymore," says Dan Kaminsky, chief scientist for Recursion Ventures and the researcher best known for two years ago blowing the lid off a major DNS vulnerability that would enable attackers to easily perform cache poisoning attacks. "I tell you nothing could be further from the truth. Certificate authorities are now so much more important than they've ever been."

Russ Housley, chair of the Internet Engineering Task Force (IETF), concurs. "The DNS memory becomes a vector providing the authenticated integrity-protected path for these certificates," Housley says. "We'll be working in the future with that in mind. So I think you need to think of these as complements."

As Kaminsky explains, DNSSEC improves the ability of engineers to authenticate domains, but not necessarily brands. That's where certificates will continue to factor into the process.

"There are domains and there are brands and they are not in fact the same thing," he says. "DNS by its nature is an open name space, and as long as someone is not using a domain, you're allowed to register it and once you have that domain you can put whatever you want under it. That's how it works and no matter how much you kick and scream, nobody can say we're going to make it impossible for a name that looks like your bank to show up in the DNS. That's not something that is technically feasible."

Kaminsky points to extended validation SSL certificates as a perfect solution to this problem, as the certificate authorities (CAs) validate the true identity of the certificate holder, better authenticating the actual brand, rather than the domain. He says that DNSSEC is complementary to the extended validation certificates, fixing flaws that threatened the sanctity of this means of authentication.

"Last year Mike Zusman and Alexander Sotirov demonstrated that while extended validation certificates can do a tremendous amount of good, an attacker who has a non-extended certificate for the same name can actually interfere with the communication and get their malicious content to show up with a green bar and there was no fix possible then," he says. "Now with the root signed, DNSSEC can actually make assertions [that] this is the only certificate for this domain."

According to Jon Oltsik, security analyst for Enterprise Strategy Group, it may take time for organizations to truly recognize the complementary nature of DNSSEC and certificates so that it makes a sizeable bump in the market.

"I think over time DNSSEC really accelerates the certificate market, but I think in the short term people will do a lot of self-signing," Oltsik says. "It's likely to be a homegrown effort that will turn into a scalability mess and then into a market."

But growth in the certificate market is imminent, he says, and not just due to the adoption of DNSSEC--he cites other drivers such as IPSec, SOA, and Web services adoption as additional factors at play.

"I think DNSSEC is just one driver here," he says. "The market for certificates is going to continue to grow over the next few years."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.