Website Security Solutions

Website Security Solutions allow companies and consumers to engage in communications and commerce online with trust and confidence. With more than one and a half million web servers using our SSL certificates, an infrastructure that processes more than four and a half billion certificate checks daily, and a trust mark that is seen more than half a billion times a day in 170 countries, the Norton Secured seal is the most recognized symbol of trust on the Internet.

Follow Us on Twitter
  • 2
    Created: FranRosch 16 Mar 2012

    Protecting digital certificates is everyone’s responsibility

    Yesterday Kaspersky Lab posted on their research blog that they had discovered a Trojan dropper file in the wild. The malicious code, designed to commit click fraud, was signed by a legitimately issued VeriSign code signing certificate. This was a result of private keys being compromised at one of our customers. The code signing certificate used to sign the malicious code was authenticated and issued by VeriSign to a legitimate organization. The certificate has since been revoked, as it appears that the private keys, which were controlled by the customer, have been compromised. Allow me to emphasize that Symantec takes these situations very seriously. We’re working closely with the customer to resolve their security issue and to ensure that they are taking precautions and applying best practices for private key before we re-issue another code signing certificate to them. Symantec employs the highest levels of stringent authentication for every certificate we issue....
  • 1
    Created: Rick Andrews 01 Mar 2012

    Revocation is Essential

    RSA 2012 has lived up to expectations with some great thought-provoking presentations. Tuesday morning I attended “Revocation Checking for Digital Certificates: Why Won’t It Work?” moderated by Kirk Hall. Kirk and the other panellists clearly described the shortcomings of revocation checking by CRLs or OCSP and why all modern browsers “soft-fail” if they can’t get a revocation response. They also detailed a number of proposed improvements, and the pros and cons of each. At Symantec, we believe that revocation checking is essential. That’s why we’ve invested heavily in building a highly-available, massive scale infrastructure to serve our CRLs and OCSP responses. Today our infrastructure supports over 3.5 Billion OCSP lookups every day. We’re an active part of the CA/Browser Forum, including the working group that will study improvements in revocation checking. It’s a great topic that has the potential to make a big...
  • 0
    Created: Quentin Liu 29 Feb 2012

    Looking back (and ahead) at Always On SSL at RSA

    The RSA 2012 Conference is this week, and I look forward to the usual exciting mix of reflection on the past year’s important trends, big announcements, and predictions on where things might go from here. For Symantec Authentication, this year’s RSA event carries added weight by falling roughly on the one and a half-year anniversary since Symantec acquired VeriSign. We’ve seen a lot of changes in the past 17 months, both within our company and in the IT industry at large, and the conference will be an excellent opportunity to share our observations and insights on both. There will be a lot to share, and I’m particularly eager to see what people have to say about a key issue that the Symantec Business Authentication team has been championing: Always On SSL. As background, 2011 has earned ugly nicknames such as “Year of the Breach” and “Year of the Hack” for having the greatest...
  • 0
    Created: FranRosch 21 Feb 2012

    Symantec to Host CA/Browser Forum Meeting this Week in Mountain View

    We are excited about hosting the CA/Browser Forum meeting this week in Mountain View and have a great set of attendees from the leading browser vendors and Certificate Authorities as well as several other interested third parties.  At Symantec, we believe that the CA/B Forum efforts to improve the SSL ecosystem have become even more important given the breaches and attacks over the past year.  The agenda this week is packed with some important topics including: Standards for improving the security related to CA operations Intellectual Property Sharing Policy Discussion on how we can evolve the CA/B Forum decision making process and how we can include the feedback from external third parties including Relying Parties Higher Authenticated Code Signing Certificates Certificate invalidation methods One other topic sure to be discussed is the role of Domain...
  • 0
    Created: FranRosch 20 Feb 2012

    Symantec is making sure there’s no need to panic about RSA keys

    By now, everyone is aware of the story published in the New York Times earlier this week by John Markoff.   The team of researchers led by Arjan Lenstra scanned 7.1 million 1024-bit public facing RSA keys, and came to the conclusion that an estimated 0.2 percent of all RSA keys in the wild are duplicate keys, and many more may share a common prime factor. Lentra's research paper stated the following:     “We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more...
  • 1
    Created: Charla Bunton-Johnson 17 Feb 2012

    Recap: Parallels Conference 2012

    This week has been a great one for Symantec at Parallels’ 2012 Conference in Orlando. Parallels attracts a global audience of over 1200 participants from across the cloud and hosting industries. We are proud to share that Symantec has been selected by Parallels as its 2011 APS ISV Service Provider of the Year. We were also honored that Symantec’s Fran Rosch was selected to give a keynote at the event. In addition to our activities at the conference, Symantec announced that it has extended its partnership with Parallels through the Application Packaging Standard (APS) and Parallels Automation for Cloud Marketplace (PACM) platform allowing Service Providers (...
  • 0
    Created: FranRosch 16 Feb 2012

    Stripping OCSP From Chrome Will Not Improve Browser Security

    Symantec applauds Adam Langley's resolve to increase consumer safety on the web, however, his proposal to remove OCSP and CRLs in a future release of the Chrome browser is misguided and could potentially have dangerous implications. Mr. Langley argues that OCSP and CRLs do not work when needed, giving the example of a captive portal that requires you to sign in to an HTTPS site while blocking traffic to all other sites. This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases. Langley also expresses concern that the CA may experience downtime. Symantec has provided CRLs and OCSP responses with 100% uptime for at least the past 10 years. We serve over 3.5 billion OCSP lookups every day, allowing browsers to reliably receive real-time validation of SSL certificates. Rather...
  • 1
    Created: Rick Andrews 09 Feb 2012

    A Bright Outlook for SSL

    Recently, Ericka Chickowski with Dark Reading wrote a well thought out and researched piece discussing the future of web authentication.  Our own Quentin Liu was interviewed for the article. In her article, Ericka starts with a brief history of SSL and then goes into the current problems facing the CA community, followed by recommended best practices.  Ericka concludes that SSL has too long a history to completely scrap (amen!) and the industry must make changes in how SSL functions to improve security of web transactions.  We couldn’t agree more!   Key article points and commentary: “Web authentication protocols took a pounding last year.” It’s true, there’s no denying that 2011 was riddled with high-profile attacks and targeting of CAs.  These attacks highlight that is has never been more important for organizations to know which CAs to trust.   “Taken...
  • 0
    Created: Charla Bunton-Johnson 07 Feb 2012

    Keeping the Trust

    This post was written by Zane Lucas, VeriSign Platinum Partner, Trustico, EMEA With all the transitions in life, we are naturally nervous about change. We had this apprehension when we learned that the VeriSign Seal would be changing to a Norton Secured Seal. However, our fears were quickly put to rest by Symantec Trust Services (formerly VeriSign). Since 2003, Trustico has successfully partnered with VeriSign, and we’ve been fortunate to present the VeriSign Seal proudly on our website since that time. We will do the same with the new Norton Secured Seal. And with this new transition, we’ve found we’re not the only ones to feel at ease...
  • 1
    Created: Paul Meijer 03 Feb 2012

    How can we be so sure?

    As Sr. Director Infrastructure Operations, Symantec Authentication Services (including SSL, PKI, VIP, FDS), my team is responsible for operating and maintaining the infrastructure, which makes up the Authentication Services business. This is the same role I had while at VeriSign at the time when Symantec acquired the Authentication Services business in 2010. In light of the recent announcement from VeriSign, Inc. that their corporate network was breached, people are wondering how we can be so certain in our public statements that the authentication networks were not compromised by the breach since the Authentication Services business was a part of VeriSign in 2010. First, let me underscore that Symantec did not acquire VeriSign, Inc.  Symantec and VeriSign, Inc. are separate entities.  Symantec acquired assets from VeriSign that include the Trust Services (SSL) and User Authentication (PKI, VIP, FDS) businesses. In keeping with industry best security...