Readers of my blog will recall that I have mentioned the importance of protecting your web site with SSL (meaning that the web site supports “https://”). The SSL protects the visitors to your web site, as well as boosting your Google search ranking. Now comes yet another smart thing that you should do to protect your web site — setting up DNS Certification Authority Authorization (CAA). CAA is a thing that does not cost you any money to do, and you only need to do it once. CAA greatly reduces the risk that a bad person could compromise the SSL protection on your web site.
The background to all of this is that SSL protection relies upon CAs (Certificate Authorities) to issue SSL certificates. You go to a CA and ask for an SSL certificate for your web site, and the CA gives you the SSL certificate. There are CAs that charge money for an SSL certificate and there are CAs (such as Let’s Encrypt) that provide them at no cost. It turns out that over the years, some CAs have been sloppy and have issued SSL certificates that they should not have issued. And over the years, some CAs have permitted their cryptographic keys to be compromised.
CAA is a mechanism by which the owner of a web site can indicate that only particular CAs are permitted to issue SSL certificates for that web site. The web site owner inserts a “CAA record” into the zone file of the DNS (domain name service) for that web site. A CA that gets asked to generate an SSL certificate (perhaps having been asked to do so by a bad person) will look to see whether the web site owner has set up a CAA record. If yes, then the CA will look at the CAA record and will proceed only if the CAA record lists that particular CA as an authorized issuer of SSL certificates.
Setting up CAA is quite easy. You simply create a CAA record and insert it into your DNS zone file. Here is a typical (and actual) CAA record:
oppedahl.com. IN CAA 0 issue “letsencrypt.org”
This record tells all of the Certificate Authorities in the world that if they are not “Let’s Encrypt” then they should decline to issue an SSL certificate for “oppedahl.com”.
It took me about two minutes to construct this CAA record (a nice web page provided by SSL Mate makes this easy) and another five minutes to insert the CAA record into the DNS zone file for “oppedahl.com”.
Qualys surveys popular web sites to measure the extent to which webmasters are following Best Practices regarding SSL protection (see report). As of August 3, 2018, Qualys found that about 3.7% of web sites had set up CAA protection.
There are other smart things that you should do regarding SSL on your web site. For example you should turn on HSTS, which nudges a visitor’s web browser to use “https://” in the future rather than mere “https://” when visiting your web site. (As of August 3, 2018, Qualys found that 18% of web sites had turned on HSTS.) And you should use only modern encryption software on your SSL-protected web site, so that your visitors are protected with PFS (perfect forward secrecy).
Giving credit where credit is due, the only reason that I know about CAAs is that I was told about it by my webmaster-savvy client Webmagic.
Have you set up a CAA record for your web site? If so, please post a comment below.
The only addition I have is that Qualys only has one ‘s’.
Thank you. I have corrected the spelling in the blog article, thanks to you.