IPv6 adoption has been growing exponentially and the protocol is now supported in all modern operating systems and by many carriers. It used to be that cloud service providers lacked IPv6 connectivity, but now Amazon AWS and Microsoft Azure have solid IPv6 connectivity and configurability. CDN providers have also deployed IPv6 for their accelerated and cached content. There are still a few areas where IPv6 support is lacking; for example, one we recently mentioned was IPv6 geolocation. Another is how many of the dominant Internet Certificate Authorities (CAs) have historically lacked IPv6 connectivity. In this article, we explore if this is still the situation or if commercial CAs have improved in their use of IPv6.
Importance of Certificate Authorities
The Internet now relies heavily on Transport Layer Security (TLS) and X.509 digital certificates to enable web sites to use HTTPS and encrypt traffic in transit. Events in recent years have raised awareness to eavesdropping and mass surveillance eroding personal privacy. As a result, there is now extensive activity in the CA realm helping facilitate a global trend to use more HTTPS and use less HTTP. Also, there is increased importance placed on the trust provided by these public CAs. Organizations who rely on these CAs are also aware of the trustworthiness of the CAs themselves given the year 2011 security breaches affecting Comodo and DigiNotar along with the 2012 Trustwave sub-CA security incident. Therefore, the performance, availability, and trustworthiness of the CAs is important to everyone using their services.
Organizations Require IPv6-Enabled CAs
When it comes to an organization’s public-facing web services and applications, fast and reliable connectivity along with the requirement that these services function using both Internet protocol versions are a must. Virtually all web servers such as Apache, Nginx, and Microsoft IIS support IPv6. It naturally follows that organizations want their public-facing sites be reachable by the broadest array of clients and that those clients may experience better performance when using IPv6. As your organization strives to ultimately run a single protocol (IPv6) and works toward operating an IPv6-only data center, you will want to be aware of all systems that are still only using the single IPv4 legacy protocol. If the CA does not support IPv6, then you will be unable to perform DNS-based Authentication of Named Entities (DANE) cross-validation of a DNS name and the certificate using solely IPv6 transport. Therefore, having your Internet CA use both IPv4 and IPv6 effectively is important.
Historic Lack of IPv6 Support in CAs
The lack of IPv6 support by commercial Certificate Authorities has been a documented problem for many years now. The older research shows that many of the top CAs didn’t support IPv6. The following is a picture from research performed by x509labs.com back in 2013 (unfortunately, their site doesn’t exist anymore). From this chart we can see that only a few CAs supported IPv6 a mere four years ago.
Their research also showed that some CAs perform faster than others. This may be related to low Internet latency resulting from the network location where the test was performed (or perhaps highlights relative ubiquity of the CAs Internet infrastructure).
In addition to this chart above, another set of research performed mid-2012 showed that most of the CAs didn’t support IPv6 for their Certificate Revocation List (CRL) or their Online Certificate Status Protocol (OCSP) (RFC 6960) services.
From both these pervious analyses we can see that many of the top Certificate Authorities that issue digital certificates did not support IPv6. Now we will want to determine if this is still the case of if the CAs have improved their IPv6 connectivity.
Most Popular CAs
There are numerous commercial CAs, but only a few companies are the dominant commercial CAs with the majority of market share. We can see which companies are the top CAs by looking at the World Wide Web Technology Surveys (W3Techs) page that shows the most popular Internet CAs. To limit our analysis to a reasonable amount of effort, we will focus on the few leaders in the commercial CA market who have the most customers and certificates.
In recent years there has been a consolidation of CAs as mergers and acquisitions have occurred. At one point, Verisign was the most recognized commercial CA with over 3 million certificates issued. Verisign acquired Thawte in 1999 and GeoTrust’s CA business in 2005. In 2010, Verisign sold their PKI business to Symantec. More recently, the Symantec Website Security along with their PKI services, have been sold to DigiCert. As a result, DigiCert will soon take over operation of the combined DigiCert/Symantec/Verisign/GeoTrust/Thawte PKI business.
We are adding Let’s Encrypt to our analysis as a deserved honorable mention because they graciously offer a free X.509 certificate authority service to help promote Internet security best practices. Let’s Encrypt is a “public benefit organization” operated by Internet Security Research Group (ISRG) and they leverage automation to make it easy and inexpensive for organizations to use a public CA.
The other factor to consider is that CAs come configured by default in the client’s browser. Depending on the web browser user agent, there may be a different set of default CAs installed and trusted. All these top-ranked commercial CAs are trusted by virtually all browsers.
Therefore, for the purposes of this assessment we will just focus on Comodo, IdenTrust, DigiCert, GoDaddy, GlobalSign and Let’s Encrypt.
Analysis of IPv6 Support by Major CAs
The following table shows the results of the IPv6 connectivity testing for each of these popular commercial CAs. First, we tested if their web site was reachable using both IP versions. Next, we tested to see if their own authoritative DNS name servers were reachable through both IPv4 and IPv6. In the fourth column, we show if their Certificate Revocation List (CRL) was reachable over IPv6. In the fifth column we show if their Online Certificate Status Protocol (OCSP) service was reachable over IPv6 transport. If the entry is highlighted in green then the service is reachable using both IPv4 and IPv6 (dual-protocol), if the entry is highlighted red then the service is reachable using IPv4-only.
Note: Most of these CAs have multiple DNS servers. The “#” nomenclature is used to indicate that there are several different numbers used in the FQDN of the DNS servers and that each of these name servers was tested for IPv6 connectivity. For example, Symantec uses UltraDNS, but the udns1. and udns2. servers are IPv4-only, while the other pdns1., pdns2., (and so on through pdns6.) name servers are dual-protocol name servers.
We should also mention that our rudimentary testing was a point-in-time test made at the time this article was published. The IPv6 connectivity of these CAs is subject to change without notice.
In our testing we discovered that some of these large-scale commercial CAs rely on Content Delivery Networks (CDNs) and cloud-based DNS services to provide fast and reliable delivery of their Internet services. We have witnessed that many of the popular CDN providers support IPv6 and as a byproduct, that makes many of these CA services IPv6-capable.
From this basic research, it is evident that the commercial CA industry has increased its use of IPv6. But there is still room for improvement. There were four CA services we found that had comprehensive IPv6 support: Comodo, DigiCert/Verisign, GlobalSign, and Let’s Encrypt. GlobalSign seems to have supported IPv6 the longest of all the CAs as they were noted by the earlier research as fully IPv6-enabled. Our research also showed that there are three large commercial CAs that need to improve their IPv6 adoption: IdenTrust, DigiCert, and GoDaddy. Hopefully, in the coming year, DigiCert can take the IPv6 best practices from among their acquisitions and apply those same best practices to their own CA service.
You should be aware of which CAs are using IPv4 and IPv6. If your current commercial CA, or the CA you are considering, is not actively using IPv6 at this date, then it might raise questions about that CA’s engineering team’s sophistication. If you are purchasing a public certificate from one of these popular CAs, you may prefer to choose a CA that is adroit with its use of IPv6 as well as legacy IPv4.
Scott Hogg (@ScottHogg) is CTO of HexaBuild.io, an IPv6 consulting and training company. Scott is Chair Emeritus of the Rocky Mountain IPv6 Task Force (RMv6TF) and authored the Cisco Press book on IPv6 Security. Follow HexaBuild on Twitter and LinkedIn.