CAA Test Results

As promised, I’ve been testing Certification Authority Authorization (CAA) with some Certificate Authorities and here’s what I found so far:

Amazon Certificate Manager (ACM)

Amazon Certificate Manager

It does not appear they honor the IODEF since I didn’t receive an email.

Let’s Encrypt appears to also block issuance:

Let’s Encrypt (using lego)

2018/12/29 16:44:30 Could not obtain certificates acme: Error -> One or more domains had a problem:
[] acme: Error 403 - urn:ietf:params:acme:error:caa - Error finalizing order :: Rechecking CAA: While processing CAA for CAA record for prevents issuance, While processing CAA for CAA record for prevents issuance

Alas, no email received from them either.

If you own a domain, you should certainly configure CAA. It appears to work and is another preventive control against phishing.

Getting to A+ with Qualys

One of the things I do when examining a website is to run it through Qualys’s SSL Labs Server Test. It does not provide a ‘security’ score per-se, but can be a good first step in making sure sessions are end-to-end encrypted between your users & your website.

As of 5:23PM on 28 Dec 2018 I have an A:

How do I get to A+?

How did I achieve this score?

  1. Disabled old / weak SSL / TLS protocols
  2. Enabled CAA policy

Here’s the relevant httpd.conf lines:

Listen 443
#SSLProtocol all -SSLv2 -SSLv3
SSLProtocol TLSv1.2

And for CAA, I followed the guide here.

Why are these items important?

  1. TLS v1.1 and greater have known vulnerabilities, so it’s important to disallow them and prevent eavesdropping
  2. As for CAA, I originally thought this was to prevent man-in-the-middle (MitM) attacks, but reading the RFC says otherwise:
The Certification Authority Authorization (CAA) DNS Resource Record
   allows a DNS domain name holder to specify the Certification
   Authorities (CAs) authorized to issue certificates for that domain.
   Publication of CAA Resource Records allows a public Certification
   Authority to implement additional controls to reduce the risk of
   unintended certificate mis-issue.

Digging a bit deeper, it appears the CAA RFC supports something interesting called IODEF. So of course, I had to see if I could activate it.

That’s something I’ll be testing in a future post.

Update: I’m now at A+:

29 Dec 2019

How? I looked at other sites that were receiving A+ ratings and didn’t find many differences – key exchange was the same (rsa 2048) and they had ciphers that were 128 bits as well (similar to my site). HSTS was the big difference, and so I added this to my httpd.conf under the :443 virtual server:

Header always set Strict-Transport-Security "max-age=31536000;   includeSubDomains"