VeriSign Breach May Reaffirm Certificate Authority Security Model

Alternative Internet security proposals simply just transfer trust to entities equally vulnerable to attack, experts say.

February 7, 2012

2 Min Read
Network Computing logo

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group

Anonymous: 10 Facts About The Hacktivist Group (click image for larger view and for slideshow)

Regardless of whether the secure sockets layer (SSL) business VeriSign sold to Symantec was compromised in the 2010 security breach that came to light last week, security experts believe the breach still has Web authentication ramifications.

Some pundits say the incident should be held up as an example of why domain name system (DNS)-based authentication on the back of domain name system security extensions (DNSSEC) is not going to solve the trust issues people have with certificate authorities (CAs)--it just transfers trust to entities equally vulnerable to attack.

"There are a number of people who see embedding certificate information into the DNS and signing it into DNSSEC as the magic bullet to solve this CA problem and the Web browser trust problem," said Jeff Schmidt, founder and CEO of JAS Global Advisors, a consulting firm specializing in IT, risk governance, and strategic technology risk. "In fact, that's not true. You're just moving the problem around. In the very specific instance where I open my machine and go to, and I need someone to assure me the site that is displayed is actually and not something run by the Russian mafia, whether that problem is solved by a CA or the DNS or something else, I have to trust somebody. The question then becomes, who do I trust?"

Immediately following the announcement of the VeriSign breach, many security insiders were quick to point at the incident as yet another big CA breach that shakes the trust in SSL. However, though all indicators point to the fact that even VeriSign is not sure about exactly what assets were compromised in breach, Symantec said in a statement that it doesn't believe that attack affected the SSL business it acquired after the breach.

"Symantec takes the security and proper functionality of its solutions very seriously," a Symantec spokesperson said. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."

Read the rest of this article on Dark Reading.

Hacks of Comodo and DigiNotar exposed weakness in the Secure Sockets Layer protocol. The new Dark Reading supplement shows you what's being done to fix it. (Free registration required.)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights