Symantec says there is nothing wrong with the SSL system but CAs need to improve their security
In the wake of the breach on the Dutch certificate authority in which several hundred fraudulent digital certificates were issued, many security researchers claimed the certification authority (CA) system was irrevocably broken and a new system is necessary to establish online trust. One CA, Symantec, argues that the incident just reinforces that CAs need to improve their security processes.
Secure Sockets Layer (SSL) technology remains secure as attackers have not compromised the encryption algorithm, Michael Lin, senior director of trust services at Symantec, told eWEEK. What needs to change are the policies and processes around how certificate authorities issue and validate SSL certificates, according to Lin.
Over 650 companies are authorised to issue SSL certificates, according to the Electronic Frontier Foundation. When a user navigates to a Website, the browser relies on the site’s SSL certificate to confirm that the user is on the legitimate site and not a fake copy. With a fake certificate, malicious perpetrators can launch man-in-the-middle attacks that allow them to eavesdrop on Internet users and intercept sensitive information.
Organisations need to invest in infrastructure, which includes deploying up-to-date malware-protection systems, conducting regular third-party audits, running vulnerability assessments to ensure no holes exist that can be exploited, implementing multiple layers of security, and continuously monitoring the environment so that breaches can be detected as quickly as possible and stopped, according to Lin.
There is nothing wrong with having so many certificate authorities, but the bar that needs to be met to become one is currently too low, according to Lin. Symantec is currently working on a white paper outlining what some of the minimum requirements should be, some of which were outlined on the Symantec Connect blog by Fran Rosch, vice president of trust services at Symantec.
Some of the requirements include using specially designed hardened facilities to defend against attacks, using hardware-based cryptographic signature systems, separating out SSL certificate systems from corporate systems, and enforcing strong password and access-control policies, Rosch wrote.
“No security infrastructure is immune to breaches”, but organisations should be “investing in infrastructure”, Lin said.
No Magic Guarantee
There is a common misperception that just because an organisation is in the security space, it is “magically more secure”, Marc Maiffret, CTO of eEye Digital Security, told eWEEK. “Actually, they face the same security challenges as everyone else,” Maiffret said, suggesting that other organisations can learn from the DigiNotar incident as well.
Most organisations tend to think in terms of which technology to buy next to meet a specific threat, instead of looking at the root cause, such as configuration errors or unresolved vulnerabilities, according to Maiffret. They are looking for the best antivirus or the best intrusion-detection system, but they are not looking at the Web application to ensure it is not susceptible to a SQL injection attack or that all known vulnerabilities had been patched with the latest software, he said.
Having a lot of technology means there is more data about what is happening, but for some organisations, more data results in more noise to ignore, not more security, according to Maiffret.
For many years, security was about “set it up and forget it”, said Maiffret, but the volume of threats and the increasingly sophisticated nature of attacks means organisations have to keep an eye on the fundamentals and customise their architecture.
Some companies may have all the right technology, but may be using it incorrectly because they did not realise they made a mistake setting it up, he added. Or they are using it in a standard configuration, which means attackers know exactly what the setup looks like and craft their attacks accordingly.
If organisations architect the network and deploy security differently from what vendors suggested as the default, they are throwing a curveball and making it harder to breach, according to Maiffret. Securing the organisation is not a technology challenge, but rather a business process, he said.
Symantec’s Lin also said that certificate authorities need to be monitoring the infrastructure so that anomalies are detected immediately. More importantly, the organisation needs to disclose the incident immediately, even if it thinks the problem has been resolved, so that everyone else is alert and on the lookout for problems, Lin said.
CAs cannot just focus on their infrastructure, but should hold their partners to the same standard, Lin said. The attacks on Comodo earlier this year were actually on its resellers, and it was important that the same rigorous standards, such as third-party audits, strong authentication and access policies, are followed, according to Lin. Symantec requires all its partners to meet the same standards or risk having the relationship severed, Lin said.