What If: Anticompetitive uses of CAA

July 18 2018

From the inventors of:

Sorry, you will need to upgrade to a Business plan to create TXT records


We can’t provide help installing NON-PREMIUM SSL certificates bought from a street vendor.

I present to you a brave new way for hosting companies to gouge their customers: preventing them from acquiring certificates at all.

SSL Vendor Lock-in via CAA

Originally intended to enable control over who can issue certificates for a domain, CAA is now observed by all certificate authorities and provides a substantial security control to domain owners.

Unfortunately, retail shared hosting providers have a bad habit of failing to recognize domain owners’ authority over their own domains.

One year from now, we could be seeing shared hosting services with “default” (pay-to-remove or pay-us-for-a-certificate) CAA records such as:

example.org.   IN  CAA   0 "comodoca.com; reseller=ripoff-hosting.net"

Who out of EIG, Hostopia or DreamScape Networks will be the first to weaponize CAA?

The DLC nightmare continues. It would be fantastic if we could finally clamp down on shitty reseller behavior, but given that practically nothing came out of the recent Trustico incident, that seems optimistic for now.