14 DAY TRIAL // The security of the public key infrastructure (PKI), which is used to establish trust on the Internet via digital certificates, was the main focus of the 80th Internet Engineering Task Force (IETF) meeting.
The Internet Engineering Task Force (IETF) is an open standards organization composed of working groups and discussion groups dedicated to developing Internet standards.
The organization holds two meetings every year and the latest took place between March 27 and April 1 in Prague, the Czech Republic.
PKI security became a central discussion topic following last month's compromise of several Comodo Registration Authorities (RAs) which resulted in rogue certificates being wrongfully issued for high-profile domains.
Reputed computer scientist Dr. Phillip Hallam-Baker, the father of the HTTP referer header and current Comodo vice president, presented a proposal co-authored together with a Comodo colleague and a Google researcher, that involves the creation of a new DNS Resource Record (RR).
The RR would be used to specify what Certification Authorities (CAs) are accepted as issuers for a certain domain. For example, if Google was to use a certificate signed by VeriSign, specifying that in the DNS resource record would prevent a cert issued by Comodo for google.com from working.
This blocks some man-in-the-middle attack scenarios where the attacker is only able to hijack Web traffic. However, if they also have control over the DNS server used by the victim, then they can also forge the RR record to specify whatever CA they want.
This is the case in countries with oppressive governments that control the Internet gateways. For example, during the pro-democracy protests in Tunisia, the country's telecommunications authority used this kind of power to launch mass phishing attacks against Gmail, Facebook, Yahoo! and Hotmail users.
The only solution to this problem would be the adoption of DNS Security Extensions (DNSSEC) that are tamper-proof. DNSSEC is currently being implemented at TLD root zone level, but it will take a long time until it will see widespread use.