[ISN] Rare peek: Inside Symantec's security fortress

From: InfoSec News <alerts_at_private>
Date: Fri, 24 Aug 2012 08:09:11 -0500 (CDT)
http://news.cnet.com/8301-1009_3-57498393-83/rare-peek-inside-symantecs-security-fortress/

By Elinor Mills
Security & Privacy
CNET News
August 23, 2012

MOUNTAIN VIEW, Calif. -- The journey to the heart of the operation 
reminded me of the late '60s TV show "Get Smart," where one heavily 
fortified door leads to another locked entryway followed by more 
complicated defenses in a seemingly never ending series of entry points 
requiring PINs, badges, and irises or fingers scans. I balked at the DNA 
test. Joking. Actually, I was just along for the exclusive tour, flanked 
by a group of engineers and executives with high-level security 
clearances.

This is the belly of Symantec's Certificate Authority operations, where 
the company creates digital certificates and keys that prove Web sites 
are who they say they are and not an impostor trying to steal your data 
or spy on you.

Picture the scene. There's a building with no signage tucked amid a 
cluster of beige buildings on the Symantec campus. Your generic office 
park, but one that houses vital data that pretty much anyone who surfs 
the Net comes into contact with in one way or another. Nestled within 
safety deposit boxes, hidden in nine safes, locked in a cage, housed in 
a secret room in the middle of the building are stored a million digital 
keys and cryptographic certificates.

You likely don't know they are there, but these digital keys are 
exchanged and verified behind the scenes in fractions of a second, the 
time it takes to open a Web site. Usually, the only visible 
representation showing this is going on is a green URL bar or padlock 
symbol at the top of the browser when you use "https" (Hypertext 
Transfer Protocol Secure), indicating that the communication is taking 
advantage of the SSL (Secure Sockets Layer) cryptographic protocol. Most 
Internet users take it for granted that when they click on a URL they 
are going to the site they intend to visit, but underlying that action 
is a complex infrastructure for assigning the digital equivalent of 
identity papers to companies, government agencies and organizations 
running Web sites that require a high level of trust. Without this 
assurance, people couldn't trust that the site they are visiting that 
advertises itself as their bank is really their bank.

[...]
Received on Fri Aug 24 2012 - 06:09:11 PDT

This archive was generated by hypermail 2.2.0 : Fri Aug 24 2012 - 06:12:06 PDT