The Internet is buzzing with news of a recently compromised Certificate Authority (CA), DigiNotar, owned by VASCO Data Security International, Inc., possibly compromising a large number of consumers.
In July of this year an internal audit discovered an intrusion within DigiNotar’s CA infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains including the domain Google.com. Shortly after the incident DigiNotar revoked all of the certificates in question, conducted an additional external security audit and then attempted to revoke outstanding certificates that were affected. As of July 19th, DigiNotar believed all fraudulent certificates were taken out of circulation by revocation.
Unfortunately this week it was found that there were still instances of fraudulent certificates still in circulation. On August 28, 2011 a false DigiNotar wildcard SSL certificate issued for Google was discovered still in the wild. Google announced that the cert was primarily affecting Gmail users in Iran. Rumors have surfaced that suggest these fraudulent certificates were used for the surveillance of email transmissions among dissident groups and individuals located in the Middle East.
This is just the latest in a string of successful attacks on certificate authorities this year, and the threat to certificate authorities by bad actors will certainly not abate. On the contrary, hackers have been raising their game steadily and the techniques used to exploit networks grow ever more sophisticated.
As one of the world’s leading certificate authorities we at Symantec take the responsibility for securing the transit of data on the Internet as a serious obligation to our customers. It is critical that a Certificate Authority’s top business priority be placed on:
1) The continual hardening of the infrastructure that protects the cryptographic keys and
2) Securing the authentication process that validates identity.
Rigorous and diligent upkeep of the security infrastructure surrounding a Certificate Authorities must be seen as a crucial ingredient to the success of a CA’s customers and the web consumer community at-large.
Not all Certificate Authorities are created equal
For businesses considering a choice of CA providers, it is important to remember that your choice does in fact matter. Not all SSL certificates are issued equally and businesses should consider the level and rigor of authentication and security that goes into the SSL certificates in which you place the trust of your brand and your customers. Organizations should ensure that CA’s publish their policies and undergo routine audit to ensure a secure infrastructure. Regrettably, there is no minimum standard within the current SSL certificate market. Although price certainly plays a significant role in the purchasing process, as the multiple CA breaches this year have reminded us, we suggest price should be but one of many factors in selecting a CA. When evaluating a CA we urge you to take into account the following considerations:
- Diligence of the security used by the CA to protect cryptographic keys
- Specifically designed hardened facilities to defend against attack
- Hardware-based cryptographic signature systems
- Regular third party audits
- Thorough network security and antimalware defense
- Enforcement of dual control certificate issuance used by the vendor
- Use of authentication/registration best practices to identify ownership
- Documented CA employee background investigations to protect against insider threat
- Strong history of the vendor’s trust and security
For consumers, it is important to know that SSL remains the most effective method of secure web data transmission. It is equally critical to remain aware of who is behind the security of the web site you are doing business with. Are they reputable? Do they have a proven track record for issuance of certificates? Do they have a robust infrastructure in place to prevent these types of attacks? To further protect yourself online, know what to look for:
- Updated browser software to obtain the latest set of valid root keys
- Watch for the green address bar provided by Extended Validation (EV) SSL for extra protection
- Look out for a recognized trust mark such as the VeriSign Secured seal with the check-mark
- Keep an eye out for the ‘s’ in “https” in the URL to indicate a secure environment
Watch for the padlock to verify who has signed the SSL certificate, and ensure that you recognize the CA
At the end of the day, it is important for the community to understand that there is nothing inherently broken with SSL, it is really just about CA’s and businesses doing the right thing and ensuring that consumer information remains secure. CA’s that follow established best practices for securing private keys, along with vigilant enforcement of stringent authentication practices are critical components in keeping the Internet a safe environment for all.