TDANE: Mechanism for Validation of Domain Certificates for Trusted Browsing

Certificate authorities issue certificates only to the legal domain owners. Recent studies show that most CA's exhibit weakness while validating the domain owner. Major CA's are vulnerable to a MITM attack. This kind of attack allows the attacker to obtain a certificate from CA's for those domains which he doesn't own. There are too many CA's in the market. It is too difficult to trust too many CA's. DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates to be tied to domain names using DNSSEC. DANE does not require any CA to authenticate domain names. Normally DNSSEC would be enough to provide secure and authenticated DNS resolution to all clients, but that is a small portion of all internet-based communications like TLS, SMTP, etc. The DANE protocol attempts to solve some problems with the Transport Layer Security (TLS) protocol by leveraging the existing DNS system. It essentially ties together both the X.509 chain of trust and the DNSSEC chain of trust, so that they can complement each other and provide much better authentication of any entity. The TLSA record is simply put a hash value. If a malicious actor were to create a PKI hierarchy with their self-signed certificate, thereby issues fake certificates to end entities, and then although browsers will not trust the certificates, DANE will still validate their TLSA records to be true. Building on the foundation of DNSSEC and improving the ideology behind the design of DANE, a new solution is proposed for this problem and it is known as Trusted DANE. The proposed solution involves a central DNS resolver which itself acts as a trust anchor to both the X.509 chain of trust and the DNSSEC chain of trust. Here, the service provider will provide an additional layer of authentication to users over existing DANE, by maintaining a record of registered service providers, their public key certificates, and their TLSA records. Whenever a client makes a DNS query via our DNS servers, while the query is immediately resolved, the service provider's certificate and it's TLSA is verified by matching the records in our database.