Catching up on developments from last week, and it’s worth mentioning that version 1.1.0 of OpenSSL has been released. As well as removing support for deprecated cryptographic protocols including SSLv2, this release is notable for adding support for DANE (DNS-based Authentication of Named Entities) and Certificate Transparency.
OpenSSL is an open-source software library developed by the OpenSSL Software Foundation that is estimated to be used by over two-thirds of all web servers. The core library implements basic cryptographic functions, with support for a variety of programming languages being provided through the use of wrappers. There are versions available for Windows, MacOS, Linux and other Unix-like operating systems, as well as OpenVMS and System i.
With DANE, a domain administrator is able to certify their public keys by storing them in the DNS if it is enabled for DNSSEC. This is done through TLSA records that associate a TLS certificate or public key with a particular domain name, which may then be cryptographically asserted via DNSSEC. The advantage is that less reliance needs to be placed on third party Certificate Authorities (CAs), which have in the past accidentally or fraudulently issued incorrect certificates. DANE can be used for a variety of applications as well as web servers, and we previously highlighted how to use it with mail servers, so it is extremely important for the widespread deployment of DANE to have support included in OpenSSL.
Certificate Transparency is an experimental IETF standard (RFC 6962) for monitoring and auditing digital certificates. This allows website users and domain owners to identify mistakenly or maliciously issued certificates using Certificate Transparency logs that verify that each submitted certificate has a valid signature chain leading back to a trusted root certificate. Certificate Transparency monitors can then check these logs for suspicious activity, whilst Certificate Auditors (possibly built into clients) can check logs against each other for consistency and integrity.
At Deploy360, we encourage the use of TLS, DNSSEC and DANE. Please take a look at our Start Here page to understand how you can get started with these technologies.