There's nothing wrong with the SSL system or the certificate authorities, Symantec said. CAs just need to improve their security.
In the wake of
the breach on the Dutch certificate authority in
which several hundred fraudulent digital certificates were issued, many
security researchers claimed the certificate authority system was irrevocably broken
and a new system was necessary to establish online trust. One CA, Symantec,
argues that the incident just reinforces that CAs need to improve their
Layer (SSL) technology remains secure as attackers haven't compromised the
encryption algorithm, Michael Lin, senior director of trust services at
Symantec, told eWEEK. What needs to
change are the policies and processes around how certificate authorities issue
and validate SSL certificates, according to Lin.
companies are authorized to issue SSL certificates, according to the Electronic
Frontier Foundation. When a user navigates to a Website, the browser relies on
the site's SSL certificate to confirm that the user is on the legitimate site
and not a fake copy. With a fake certificate, malicious perpetrators can launch
man-in-the-middle attacks that allow them to eavesdrop on Internet users and
intercept sensitive information.
perfectly viable as a technology, but CAs need to implement minimum
standards" to keep the system secure and working, Lin said.
need to invest in infrastructure, which includes deploying up-to-date malware-protection
systems, conducting regular third-party audits, running vulnerability
assessments to ensure no holes exist that can be exploited, implementing
multiple layers of security, and continuously monitoring the environment so
that breaches can be detected as quickly as possible and stopped, according to
nothing wrong with having so many certificate authorities, but the bar that
needs to be met to become one is currently too low, according to Lin. Symantec
is currently working on a white paper outlining what some of the minimum
requirements should be, some of which were outlined on the Symantec Connect blog by Fran Rosch, vice president
of trust services at Symantec.
Some of the
requirements include using specially designed hardened facilities to defend
against attacks, using hardware-based cryptographic signature systems,
separating out SSL certificate systems from corporate systems, and enforcing
strong password and access-control policies, Rosch wrote.
security infrastructure is immune to breaches," but organizations should
be "investing in infrastructure," Lin said.
There is a
common misperception that just because an organization is in the security
space, it is "magically more secure," Marc Maiffret, CTO of eEye
Digital Security, told eWEEK.
"Actually, they face the same security challenges as everyone else,"
Maiffret said, suggesting that other organizations can learn from the DigiNotar
incident as well.
organizations tend to think in terms of which technology to buy next to meet a
specific threat, instead of looking at the root cause, such as configuration
errors or unresolved vulnerabilities, according to Maiffret. They are looking
for the best antivirus or the best intrusion-detection system, but they aren't
looking at the Web application to ensure it isn't susceptible to a SQL
injection attack or that all known vulnerabilities had been patched with the
latest software, he said.
Having a lot
of technology means there is more data about what's happening, but for some
organizations, more data results in more noise to ignore, not more security,
according to Maiffret.
years, security was about "set it up and forget it," said Maiffret,
but the volume of threats and the increasingly sophisticated nature of attacks
means organizations have to keep an eye on the fundamentals and customize their
may have all the right technology, but may be using it incorrectly because they
didn't realize they made a mistake setting it up, Maiffret said. Or they are
using it in a standard configuration, which means attackers know exactly what
the setup looks like and craft their attacks accordingly. If organizations
architect the network and deploy security differently from what vendors suggested
as the default, they are throwing a curveball and making it harder to breach,
according to Maiffret.
organization is not a technology challenge, but rather a business process,
also said that certificate authorities need to be monitoring the infrastructure
so that anomalies are detected immediately. More importantly, the organization
needs to disclose the incident immediately, even if it
thinks the problem has been resolved, so that everyone else is alert and on the
lookout for problems, Lin said.
CAs can't just
focus on their infrastructure, but should hold their partners to the same
standard, Lin said. The attacks on Comodo earlier this year were actually
on its resellers, and it was important that the same rigorous standards, such
as third-party audits, strong authentication and access policies, are followed,
according to Lin. Symantec requires all its partners to meet the same standards
or risk having the relationship severed, Lin said.