Video Screencast Help
Search Video Help Close Back
to help

Website Security Solutions

Showing posts tagged with SSL Certificates
Showing posts in English
Safe Surfing with the Green Bar
Jeannie Warner | 18 Dec 2012 | 0 comments

When your mobile or web browser address bar turns green it’s a clear sign that you can complete a transaction, or fill out an online form with confidence. The green address bar indicate that you’re on a site that has an Extended Validation (EV) certificate, a measure increasingly used by organizations to provide reassurance to customers who are wary of sharing personal information online. Sites protected by an EV certificate must pass the industry’s most stringent standards for identity validation and if the certificate is from Symantec it also protects you from malware, as these sites are scanned daily for infection.

To receive  an EV certificate, an organization  not only has to demonstrate secure encryption methods but also pass rigorous checks based on the highest industry standards to prove that it...

Read more
Physical Security Makes Web Security Possible
FranRosch | 18 Dec 2012 | 0 comments

Trust on the internet isn't just a catch phrase. It's a concern that engenders policies that extend from the virtual world of security products and integration all the way down into process and physical reinforcement. It is also a daily practice at Symantec, where we back up our mission statements with concrete, measured practices. We built our datacenter facilities with a defense in depth approach, and believe in practicing what we preach regarding the standards a CA should adhere to. My leadership team demands that our infrastructure supports our strategy to be the best.

We gave the folks at CNet a tour of our Operations facility where we process SSL Certificates, and showed them our model of what makes a secure facility. We are constantly investing in improvement, keeping up with the latest trends in physical security as a vital link to supporting our virtual security. Recently, CNet published the following article about what they saw on that tour:

...

Read more
Safe Surfing for Sports Season
Jeannie Warner | 18 Dec 2012 | 0 comments

Keeping Your Personal Information Secure
 

It’s a great time for sports fans, with the summer Olympics still fresh in our minds, the NFL season kicking off, and hockey and basketball just around the corner. Unfortunately, it’s also a great time for cyber criminals who take advantage of the excitement to steal valuable personal information.

A common approach, known as “phishing,” uses phony emails that inform fans they have won the “NFL Lottery” or can purchase discounted tickets. These emails often contain links to websites that look genuine but are designed to trick users into providing login and password details. Some also include attachments that can download nasty computer viruses.

As scammers grow more sophisticated, users have to up their defensive game. Here are some tips to help protect against phishing attacks:

  1. Never click on links or open attachments in unsolicited emails....
Read more
Why are the Certification Authority/Browser Baseline Requirements so important?
FranRosch | 18 Dec 2012 | 0 comments

Symantec has been a key driver in collaborative work with the CA/B Forum to develop a new set of baseline requirements for organization and domain validated SSL certificates. The CA/B Forum is an organization of leading Certification Authorities (CAs) and vendors of Internet browser software and other applications. The CA/B Baseline Requirements are documented in “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates v. 1.0”.

We are proud to announce that Symantec is adopting the new Baseline Requirements effective July 1st, 2012. 

The Baseline Requirements focus on providing clear standards for CAs on important topics including verification of identity, certificate content and profiles, CA security, revocation mechanisms, use of algorithms and key sizes, audit requirements, liability, privacy and confidentiality, and delegation (including external sub-...

Read more
Symantec to Host CA/Browser Forum Meeting this Week in Mountain View
FranRosch | 18 Dec 2012 | 0 comments

We are excited about hosting the CA/Browser Forum meeting this week in Mountain View and have a great set of attendees from the leading browser vendors and Certificate Authorities as well as several other interested third parties.  At Symantec, we believe that the CA/B Forum efforts to improve the SSL ecosystem have become even more important given the breaches and attacks over the past year.  The agenda this week is packed with some important topics including:

  1. Standards for improving the security related to CA operations
  2. Intellectual Property Sharing Policy
  3. Discussion on how we can evolve the CA/B Forum decision making process and how we can include the feedback from external third parties including Relying Parties
  4. Higher Authenticated Code Signing Certificates
  5. Certificate invalidation methods

One other topic sure to be discussed is the role of Domain Validated SSL certs...

Read more
Symantec is making sure there’s no need to panic about RSA keys
FranRosch | 18 Dec 2012 | 0 comments

By now, everyone is aware of the story published in the New York Times earlier this week by John Markoff.   The team of researchers led by Arjan Lenstra scanned 7.1 million 1024-bit public facing RSA keys, and came to the conclusion that an estimated 0.2 percent of all RSA keys in the wild are duplicate keys, and many more may share a common prime factor. Lentra's research paper stated the following:  
 
“We performed a sanity check of public keys collected on the web. Our main goal was to test the validity of the assumption that different random choices are made each time keys are generated. We found that the vast majority of public keys work as intended. A more disconcerting finding is that...

Read more
Verisign, Inc. breach update: Symantec not compromised.
FranRosch | 18 Dec 2012 | 3 comments

News broke recently that Verisign, Inc. reported in their quarterly SEC filings that they had been victims of a security breach in 2010. At this time, Verisign, Inc. has only confirmed that the incident did not impact their DNS business. 

Just as Verisign, Inc. stated that there was no impact to their production environment, I stand behind the following statement that Symantec made in response to media questions regarding the 2010 Verisign, Inc. security breach:

Symantec takes the security and proper functionality of its solutions very seriously.Trust Services (SSL), User Authentication (VIP, PKI, FDS), and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the Verisign, Inc. quarterly filing.

Unfortunately, many people are associating the breach at Verisign, Inc. with...

Read more
Announcing Symantec Certificate Intelligence Center
Leelin Thye | 18 Dec 2012 | 0 comments

Today, Symantec is launching Symantec Certificate Intelligence Center as a generally available release after a successful public beta. Symantec Certificate Intelligence Center is a cloud-based service for enterprises to discover all SSL certificates, regardless of Certificate Authority (CA), and exercise end-to-end certificate lifecycle management.

The onslaught of news on security breaches related to SSL certificates such as weak 512-bit SSL certificates being issued by CAs, or stolen certificates being used to propagate cyber attacks, or even...

Read more
SSL Renegotiation Is Good. DDOS Attacks Are Bad
FranRosch | 18 Dec 2012 | 1 comment

There is a distributed denial of service (DDOS) attack making news this week called THC-SSL-DOS, and it’s stirring up some discussion about the renegotiation feature of SSL. Some are saying this is a flaw in SSL. It is not. SSL renegotiation is a feature; not a flaw to be fixed. The attack is primarily another DDOS attack.

A better user experience

Renegotiation is a feature that makes it possible to adjust the parameters of an SSL handshake without requiring an entirely new SSL session. This allows for an improved user experience, a must have for most Ecommerce, media, cloud providers, and SaaS sites.

Here is just one example: a web user visits a web site that is SSL encrypted. After spending some time shopping on that site anonymously the user decides to purchase or log in. Renegotiation will allow the SSL connection with that site to adjust to authenticate the user without requiring a break in the user experience. This way, all the...

Read more
Duqu: Protect Your Private Keys
FranRosch | 18 Dec 2012 | 0 comments

Some of the files associated with the new W32.Duqu threat were signed with a private key. After intense investigation we concluded that the private key used for signing these Duqu files was stolen from a Symantec customer whose systems appear to have been compromised. The private key was associated with a code signing certificate issued to that customer.

A Stolen Key

We take this very seriously and quickly revoked the customer code signing certificate in question. We have found no evidence of any breach to our systems and our records show that the code signing certificate was issued only after completing our rigorous customer authentication process. Our systems, roots and intermediate CAs were never at risk.

Running the world’s largest commercial cyber-intelligence network, Symantec is constantly monitoring the internet and customer environments in search of...

Read more