By Tom Powledge, Vice President, Trust Services, Symantec
There's been plenty in the news recently regarding encryption and SSL – which has led some people to wonder how safe the technology really is. As the leader of Symantec's Trust Services Products & Services organization, I want to assure you that SSL is safe. Below is some information that may help you understand why, and also inform you about the current state of SSL security.
First, the fundamental key strength of RSA 2048-bit certificates is solid and without question. Independent cryptography experts have confirmed this, and highly-respected publications such as the MIT Technology Review have published articles on the subject. As always, organizations that use SSL should make sure they use the strongest algorithms available.
Customers of SSL certificates should take specific actions to safeguard the security of their server-side private keys. They should put in place powerful network protections and should never utilize tools where private keys are revealed to third parties. Symantec never takes possession of any customer's SSL private keys.
Lastly, and perhaps most importantly, Certificate Authorities that issue SSL certificates must never share the private keys of their roots. The trust in SSL by everyone – from end-users, to the companies that they communicate with, to the browsers that enable secure connections – all depend on Certificate Authorities to provide unequivocal security of their root keys.
As the world’s largest and most trusted Certificate Authority, we use best-in-class security processes to protect our roots. We do not share our private keys with any third-party company, government, organization or individual. To repeat: We never share our root keys, and never will. Period.
We are committed to ensuring our customers can use SSL safely and we recommend that customers take important, but simple steps to proactively protect their private keys. To learn more about Symantec's SSL offerings, please go to http://go.symantec.com/ssl.