DigiNotar SSL Breach Update
Since my last post, the effects of the recent DigiNotar breach have spread across the security industry. Many media outlets recently shared some of the names of the 531 fraudulent certificates created, including Google, Facebook, Skype, Microsoft, as well as each of the major certificate authorities. A hacker has claimed responsibility for the breach and claims to have breached some other Certificate Authorities as well. GlobalSign has ceased issuing certificates as it investigates whether or not it has been breached. Pundits are questioning the strength of SSL. Then, yesterday a Dutch government agency erroneously made a statement that Thawte had been breached. Although the statement was proven false and quickly retracted, it highlights the fear and knee-jerk reactive actions proliferating as a result.
With all the panic going on around us, I want to assure you that we have performed exhaustive audits of our network and we are confident that our systems have not been affected by the breach that occurred at DigiNotar. The fraudulent certificates (revoked) were in no way connected to Symantec or any of its certificate authority brands. Our VeriSign, Thawte, GeoTrust and RapidSSL roots remain secure.
I’ll reiterate, as a security leader we’re frequently targeted by bad actors. Symantec has invested-in and built the most robust and scalable certificate authentication, issuance, management and hierarchy infrastructure in the industry. We believe that the security strength of our operations is an important part of the value our customers get when they buy their certificates from us. However, we also commit to update you if any issues related to the Symantec SSL and CA infrastructure develops.
-We at Symantec take security seriously. We’re obsessive about it, it’s what we do.