VeriSign Breach May Reaffirm Certificate Authority Security Model
Alternative Internet security proposals simply just transfer trust to entities equally vulnerable to attack, experts say.
Some pundits say the incident should be held up as an example of why domain name system (DNS)-based authentication on the back of domain name system security extensions (DNSSEC) is not going to solve the trust issues people have with certificate authorities (CAs)--it just transfers trust to entities equally vulnerable to attack.
More Security Insights
- Hybrid Messaging Security Solutions Enhanced Security and Business Flexibility
- Skybox Security Survey: Next-Generation Firewall Management
"There are a number of people who see embedding certificate information into the DNS and signing it into DNSSEC as the magic bullet to solve this CA problem and the Web browser trust problem," said Jeff Schmidt, founder and CEO of JAS Global Advisors, a consulting firm specializing in IT, risk governance, and strategic technology risk. "In fact, that's not true. You're just moving the problem around. In the very specific instance where I open my machine and go to www.bankofamerica.com, and I need someone to assure me the site that is displayed is actually www.bankofamerica.com and not something run by the Russian mafia, whether that problem is solved by a CA or the DNS or something else, I have to trust somebody. The question then becomes, who do I trust?"
Immediately following the announcement of the VeriSign breach, many security insiders were quick to point at the incident as yet another big CA breach that shakes the trust in SSL. However, though all indicators point to the fact that even VeriSign is not sure about exactly what assets were compromised in breach, Symantec said in a statement that it doesn't believe that attack affected the SSL business it acquired after the breach.
"Symantec takes the security and proper functionality of its solutions very seriously," a Symantec spokesperson said. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."
Hacks of Comodo and DigiNotar exposed weakness in the Secure Sockets Layer protocol. The new Dark Reading supplement shows you what's being done to fix it. (Free registration required.)