Looking back (and ahead) at Always On SSL at RSA
The RSA 2012 Conference is this week, and I look forward to the usual exciting mix of reflection on the past year’s important trends, big announcements, and predictions on where things might go from here. For Symantec Authentication, this year’s RSA event carries added weight by falling roughly on the one and a half-year anniversary since Symantec acquired VeriSign. We’ve seen a lot of changes in the past 17 months, both within our company and in the IT industry at large, and the conference will be an excellent opportunity to share our observations and insights on both. There will be a lot to share, and I’m particularly eager to see what people have to say about a key issue that the Symantec Business Authentication team has been championing: Always On SSL.
As background, 2011 has earned ugly nicknames such as “Year of the Breach” and “Year of the Hack” for having the greatest number of high-profile cyber attacks and data breaches ever. Unfortunately, the year’s events also cast a spotlight on a longstanding “elephant in the room” for the IT security industry: Even as more organizations are deploying more countermeasures to prevent and mitigate cyber attacks that are becoming more common, sophisticated, and devastating, many of those organizations still don’t provide end-to-end encryption when transmitting confidential data of people using their websites.
Of particular note is that for the first time, the integrity and usefulness of Secure Sockets Layer (SSL) certificates (the cryptographic bona fides that a website is legitimate and protects online transactions involving personal, sensitive, or confidential data) became a headline-making security issue. The DigiNotar and Comodo breaches resulted in hundreds of illegitimate SSL certificates and forced DigiNotar into bankruptcy, while the hijacking of Hollywood star Ashton Kutcher’s Twitter account drew global attention. Just this month, we learned that Trustwave issued certificates to a company that used them for internal surveillance with Man-in-the-Middle (MITM) approaches. These incidents and others have sparked debate whether SSL certificate technology and the entire CA industry, are fundamentally broken.
Fortunately, the answer to both questions is categorically no. SSL technology and the PKI ecosystem continue to evolve and still provide excellent protection against growing cyber security threats. CAs that take their responsibility to protect security and identity seriously are fully capable of providing the greatest assurance possible that their certificates – and the websites that use the certificates – are genuine and safe for online business and data transfer.
In fact, the strongest countermeasure to some attacks, such as sidejacking, is to encrypt all pages on a website, not just initial log-in pages. The issue is particularly important if you have users who log in using an SSL secured page but then move on to unsecured pages. The cookie that established the user session may then be sent in the clear and be exposed to a bad actor who could then use that information to compromise a legitimate user’s account. Known as Always On SSL, this approach of deploying SSL to all website pages uses site-wide SSL/TLS (Secure Socket Layer/Transport Layer Security) and HTTPS (HTTP Secure) to protect the entire user experience. Always On SSL assures consumers of the integrity and privacy of the information they send and receive. In turn, Always On SSL proves the authenticity of the site’s identity, crucial for the trust that is the bedrock of online commerce, social media, and community.
The IT security industry and the U.S. government have begun rallying around Always On SSL. In fact, Twitter just announced that it has joined the Online Trust Alliance (OTA). The OTA named its upgrade to Always On SSL and EV SSL (Extended Validation SSL) as its #4 top IT security best practice in its 2012 Data Protection & Breach Readiness Guide.
As part of a panel discussion hosted by Craig Spiezel, executive director of the OTA, we will touch on these points and many others at RSA, “Always On SSL: A Necessity to Deal with an Inconvenient Truth,” at 8 a.m. PT this Thursday, March 1. Specifically, we’ll help distill the technical and business values of Always On SSL and explore why it’s still not pervasive today. We’ll have panelists from Microsoft, PayPal, Twitter and Facebook present compelling case studies that share implementation considerations and lessons learned, and what organizations can do moving forward to protect themselves. If you’re attending the conference, I hope you can join us for a fascinating, timely discussion.