30 June 2025
Feisty Duck’s Cryptography & Security Newsletter is a periodic dispatch bringing you commentary and news surrounding cryptography, security, privacy, SSL/TLS, and PKI. It's designed to keep you informed about the latest developments in this space. Enjoyed every month by more than 50,000 subscribers. Written by Ivan Ristić.
We use digital certificates to secure our network communication, but have you ever considered that the issuance of the certificates themselves is essentially trust on first use (TOFU)? This acronym is commonly used to refer to a trust model that’s bootstrapped on the assumption that the first interaction is with the intended party, but this assumption is not fully validated.
You may be more familiar with TOFU from SSH, in which clients remember servers’ keys when they connect for the first time. This works because it’s normally very unlikely that someone will interfere with this very first connection. That’s because it usually happens immediately after a new server is booted for the first time, which is an event that’s under your control.
It’s less obvious that the entirety of internet PKI operates in the same way, because we normally interact with digital certificates and there is an assumption that they have been obtained securely. However, in practice, this is again TOFU. When a certificate is requested, behind the scenes, CAs use insecure communication to validate domain control. To be clear, this does help, because there is now only one initial insecure connection per certificate, after which the entire world can connect securely.
This trust model, on which internet PKI is based, works—until it is attacked. Any party that can intercept the communication between the CA and an IP address behind a domain name can get a fraudulent certificate. The attack vectors include man-in-the-middle attacks, BGP hijacking, and exploitation of dangling DNS issues.
Work has been under way to improve this situation, starting with Multi-Perspective Issuance Corroboration (MPIC), which has been adopted by the CA/Browser Forum and will become mandatory in September 2025. This technique raises the bar by enforcing multiple geographically dispersed vantage points for CAs’ DNS queries and validation traffic. Although it helps, MPIC is not a foolproof solution.
But we can do better than that. In their paper titled Cryptographically-Secured Domain Validation, a group of researchers proposes measures to close the remaining security gaps. Their approach is threefold: (1) Devise a set of new ACME methods for cryptographic domain validation; (2) extend CAA to enable property owners to require increased security; and (3) rely on DNSSEC to deliver authentic CAA records.
Sounds great! When can we have it? Actually, some aspects of this proposal have already been adopted. In ballot SC-085v2, the CA/Browser forum decided to make DNSSEC validation mandatory. This in itself is an improvement and allows anyone to use ACME Account Binding (RFC 8657) today for authenticated issuance. RFC 8657 itself is not yet mandatory, but there are indications that it will be adopted by the CA/Browser Forum. The rest of the proposal for cryptographic domain validation will hopefully follow over time. The RFC to update CAA is already in progress.
It feels like we’re on the verge of convergence of the internet PKI and DNSSEC trust models. For years, internet PKI has been developed under the assumption that DNS cannot be trusted. This was not necessarily because DNS couldn’t be secured at the technical level (although, admittedly, DNSSEC can be quite clunky) but because governments, which ultimately control DNS, can’t be trusted in the long term. As a result of this decision, a lot of effort went into securing internet PKI, an effort that could have potentially been avoided by relying on DNSSEC. However, if the models are unified, we may end up with a trust model that’s fully authenticated (DNSSEC) but comes with transparency and enables property owners to maintain control (internet PKI). Exciting.
This subscription is just for the newsletter; we won't send you anything else.
Designed by Ivan Ristić, the author of SSL Labs, Bulletproof TLS and PKI, and Hardenize, our course covers everything you need to know to deploy secure servers and encrypted web applications.
Remote and trainer-led, with small classes and a choice of timezones.
Join over 2,000 students who have benefited from more than a decade of deep TLS and PKI expertise.