[ISN] VeriSign Breach May Actually Reaffirm Commitment To CA Model

From: InfoSec News <alerts_at_private>
Date: Tue, 7 Feb 2012 04:05:35 -0600 (CST)
http://www.darkreading.com/authentication/167901072/security/news/232600350/verisign-breach-may-actually-reaffirm-commitment-to-ca-model.html

By Ericka Chickowski
Contributing Writer
Dark Reading
Feb 06, 2012

Regardless of whether the SSL business VeriSign sold to Symantec was 
compromised in the 2010 security breach that came to light last week, 
security experts believe the breach still has Web authentication 
ramifications. Some pundits say the incident should be held up as an 
example of why DNS-based authentication on the back of DNSSEC is not 
going to solve the trust issues people have with certificate authorities 
-- it just transfers trust to entities equally vulnerable to attack.

"There are a number of people who see embedding certificate information 
into the DNS and signing it into DNSSEC as the magic bullet to solve 
this CA problem and the Web browser trust problem," says Jeff Schmidt, 
founder and CEO of JAS Global Advisors, a consulting firm specializing 
in IT, risk governance, and strategic technology risk. "In fact, that's 
not true. You're just moving the problem around. In the very specific 
instance where I open my machine and go to www.bankofamerica.com, and I 
need someone to assure me the site that is displayed is actually 
www.bankofamerica.com and not something run by the Russian mafia, 
whether that problem is solved by a CA or the DNS or something else, I 
have to trust somebody. The question then becomes, who do I trust?"

Immediately following the announcement of the breach, many security 
insiders were quick to point at the incident as yet another big CA 
breach that shakes the trust in SSL. However, though all indicators 
point to the fact that even VeriSign is not sure about exactly what 
assets were compromised in breach, Symantec said in a statement that it 
doesn't believe that attack affected the SSL business it acquired after 
the breach.

"Symantec takes the security and proper functionality of its solutions 
very seriously," a Symantec spokesperson said. "The Trust Services 
(SSL), User Authentication (VIP, PKI, FDS) and other production systems 
acquired by Symantec were not compromised by the corporate network 
security breach mentioned in the VeriSign, Inc. quarterly filing."

[...]


_____________________________________________________
Did a friend send you this article? Make it your
New Year's Resolution to subscribe to InfoSec News!
http://www.infosecnews.org/mailman/listinfo/isn
Received on Tue Feb 07 2012 - 02:05:35 PST

This archive was generated by hypermail 2.2.0 : Tue Feb 07 2012 - 02:05:15 PST