Website Security Solutions

Stripping OCSP From Chrome Will Not Improve Browser Security

FranRosch | 18 Dec 2012 | 0 comments

Symantec applauds Adam Langley's resolve to increase consumer safety on the web, however, his proposal to remove OCSP and CRLs in a future release of the Chrome browser is misguided and could potentially have dangerous implications. Mr. Langley argues that OCSP and CRLs do not work when needed, giving the example of a captive portal that requires you to sign in to an HTTPS site while blocking traffic to all other sites. This is a corner case that happens very infrequently. We argue that one shouldn’t discard OCSP and CRLs because they don’t work in a tiny fraction of cases.

Langley also expresses concern that the CA may experience downtime. Symantec has provided CRLs and OCSP responses with 100% uptime for at least the past 10 years. We serve over 3.5 billion OCSP lookups every day, allowing browsers to reliably receive real-time validation of SSL certificates. Rather than letting...

A Bright Outlook for SSL

Rick Andrews | 18 Dec 2012 | 1 comment

Recently, Ericka Chickowski with Dark Reading wrote a well thought out and researched piece discussing the future of web authentication. Our own Quentin Liu was interviewed for the article. In her article, Ericka starts with a brief history of SSL and then goes into the current problems facing the CA community, followed by recommended best practices. Ericka concludes that SSL has too long a history to completely scrap (amen!) and the industry must make changes in how SSL functions to improve security of web transactions. We couldn’t agree more!

Key article points and commentary:

“Web authentication protocols took a pounding last year.”
It’s true, there’s no denying that 2011 was riddled with high-profile attacks and targeting of CAs. These attacks highlight that is has never been more important for organizations to know which CAs to trust.
“Taken...

Keeping the Trust

Charla Bunton-Johnson | 18 Dec 2012 | 0 comments

This post was written by Zane Lucas, VeriSign Platinum Partner, Trustico, EMEA

With all the transitions in life, we are naturally nervous about change. We had this apprehension when we learned that the VeriSign Seal would be changing to a Norton Secured Seal. However, our fears were quickly put to rest by Symantec Trust Services (formerly VeriSign). Since 2003, Trustico has successfully partnered with VeriSign, and we’ve been fortunate to present the VeriSign Seal proudly on our website since that time. We will do the same with the new Norton Secured Seal. And with this new transition, we’ve found we’re not the only ones to feel at ease...

How can we be so sure?

Paul Meijer | 18 Dec 2012 | 0 comments

As Sr. Director Infrastructure Operations, Symantec Authentication Services (including SSL, PKI, VIP, FDS), my team is responsible for operating and maintaining the infrastructure, which makes up the Authentication Services business. This is the same role I had while at VeriSign at the time when Symantec acquired the Authentication Services business in 2010.

In light of the recent announcement from VeriSign, Inc. that their corporate network was breached, people are wondering how we can be so certain in our public statements that the authentication networks were not compromised by the breach since the Authentication Services business was a part of VeriSign in 2010.

First, let me underscore that Symantec did not acquire VeriSign, Inc. Symantec and VeriSign, Inc. are separate entities. Symantec acquired assets from VeriSign that include the Trust Services (SSL) and User Authentication (PKI, VIP, FDS) businesses.

In keeping with industry best security...

Verisign, Inc. breach update: Symantec not compromised.

FranRosch | 18 Dec 2012 | 3 comments

News broke recently that Verisign, Inc. reported in their quarterly SEC filings that they had been victims of a security breach in 2010. At this time, Verisign, Inc. has only confirmed that the incident did not impact their DNS business.

Just as Verisign, Inc. stated that there was no impact to their production environment, I stand behind the following statement that Symantec made in response to media questions regarding the 2010 Verisign, Inc. security breach:

Symantec takes the security and proper functionality of its solutions very seriously.Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.

Unfortunately, many people are associating the breach at Verisign, Inc. with...

Keeping Your Feet against Staggering Threats to Online Data

Michael Lin | 18 Dec 2012 | 1 comment

While presenting at the HostingCon earlier this year, some particular figures in my slide deck jumped out at me: 1) Corporations are seeing their information double every two years; and 2) Each day, 600 million emails are sent containing unencrypted confidential data. Those are staggering figures on their own. Put them together, and the need to protect sensitive data online becomes glaringly obvious.

The booming popularity of Secure Sockets Layer (SSL) Certificates and Extended Validation SSL (EV SSL) Certificates reflects the recognition that people and organizations must protect themselves from worsening malware, data breaches and other IT security threats. By validating user and device identity, SSL and EV SSL...

Announcing Symantec Certificate Intelligence Center

Leelin Thye | 18 Dec 2012 | 0 comments

Today, Symantec is launching Symantec Certificate Intelligence Center as a generally available release after a successful public beta. Symantec Certificate Intelligence Center is a cloud-based service for enterprises to discover all SSL certificates, regardless of Certificate Authority (CA), and exercise end-to-end certificate lifecycle management.

The onslaught of news on security breaches related to SSL certificates such as weak 512-bit SSL certificates being issued by CAs, or stolen certificates being used to propagate cyber attacks, or even...

Stolen certs an issue for Malaysia, a security reminder for all of us

FranRosch | 18 Dec 2012 | 1 comment

Malaysia just can’t catch a break lately. Earlier this month it was discovered that Malaysian certificate authority, DigiCert Sdn. Bhd. (no relation to DigiCert, Inc.) had been issuing weak 512-bit SSL certificates, a serious no-no in the CA business. This led to the major browsers yanking DigiCert Sdn. Bhd. from their trusted root stores. Then last week a story broke in which a code signing certificate had been stolen from a Malaysian government agency and used to sign malware that exploits a vulnerability in Adobe Acrobat 8.

An investigation found that the certificate was issued by DigiSign Server ID to a domain managed by the Malaysian Agricultural Research and Development Institute. Although the certificate has since expired, Malaysian authorities say the certificate was stolen “some time ago”.

I’ve read a number of articles on this subject since the story broke and each article makes mention of this being the...

Is the Symantec Vulnerability Assessment Service Right For You?

Teresa Wingfield | 18 Dec 2012 | 0 comments

Did you know that Symantec offers free vulnerability assessments for Extended Validation Secure Sockets Layer (EV SSL), Premium and Secure Site Pro certificate customers? The new Symantec service enables quick identification and remediation of the most exploitable weaknesses on public-facing Web pages, Web-based applications, server software and network ports.

In less than three weeks since the October launch of Symantec’s vulnerability assessments, the company has scanned nearly 2000 web sites for critical vulnerabilities that could allow malicious hackers to insert malware or to directly access confidential customer data. Of these sites, more than half had critical vulnerabilities which customers were able to quickly remediate. Symantec identified hundreds of exposures, largely due to outdated software, and has already helped over half of the impacted customers to completely eliminate all identified vulnerabilities.

Could you also benefit from the...

Surrender not thy good name!

Bernard Laroche | 18 Dec 2012 | 0 comments

Is your business ready to be blacklisted by search engines or you have the right tools to stay online and trusted?

The only way websites can get off the blacklist and shut down the warnings is to demonstrate that they are malware free. That’s why anti-malware scans and anti-malware seals are so valuable: they offer immediate, demonstrable proof that visitors can trust a website to be free of malware.

Anti-malware scans and seals offer website owners other tangible business benefits, including:

uninterrupted search traffic, higher search rankings and more completed transactions
improved compliance with commercial and government data security standards
significantly decreased chances that search engines will identify the website as malicious
much lower likelihood of public exposure, bad press and negative business consequences from...

Links

Technical Support Symantec Training Symantec.com Purchase Endpoint Protection Small Business Edition Purchase SSL Certificates

About Website Security Solutions

Website Security Solutions allow companies and consumers to engage in communications and commerce online with trust and confidence. With more than one and a half million web servers using our SSL certificates, an infrastructure that processes more than four and a half billion certificate checks daily, and a trust mark that is seen more than half a billion times a day in 170 countries, the Norton Secured seal is the most recognized symbol of trust on the Internet.

Website Security Solutions

Links

About Website Security Solutions

Filter by:

Blog Tags