[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] VeriSign Breach May Actually Reaffirm Commitment To CA Model


By Ericka Chickowski
Contributing Writer
Dark Reading
Feb 06, 2012

Regardless of whether the SSL business VeriSign sold to Symantec was compromised in the 2010 security breach that came to light last week, security experts believe the breach still has Web authentication ramifications. Some pundits say the incident should be held up as an example of why DNS-based authentication on the back of DNSSEC is not going to solve the trust issues people have with certificate authorities -- it just transfers trust to entities equally vulnerable to attack.

"There are a number of people who see embedding certificate information into the DNS and signing it into DNSSEC as the magic bullet to solve this CA problem and the Web browser trust problem," says Jeff Schmidt, founder and CEO of JAS Global Advisors, a consulting firm specializing in IT, risk governance, and strategic technology risk. "In fact, that's not true. You're just moving the problem around. In the very specific instance where I open my machine and go to www.bankofamerica.com, and I need someone to assure me the site that is displayed is actually www.bankofamerica.com and not something run by the Russian mafia, whether that problem is solved by a CA or the DNS or something else, I have to trust somebody. The question then becomes, who do I trust?"

Immediately following the announcement of the breach, many security insiders were quick to point at the incident as yet another big CA breach that shakes the trust in SSL. However, though all indicators point to the fact that even VeriSign is not sure about exactly what assets were compromised in breach, Symantec said in a statement that it doesn't believe that attack affected the SSL business it acquired after the breach.

"Symantec takes the security and proper functionality of its solutions very seriously," a Symantec spokesperson said. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."


Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!