VeriSign Breach May Actually Reaffirm Commitment To CA Model

  /     /     /  
Publicated : 22/11/2024   Category : security


VeriSign Breach May Actually Reaffirm Commitment To CA Model


Proposals, like DANE, to roll up certificate issuance into DNS show that trusting domain registrars just as risky as trusting CAs



Regardless of whether the SSL business VeriSign sold to Symantec was compromised in the 2010 security breach that came to light last week, security experts believe the breach still has Web authentication ramifications. Some pundits say the incident should be held up as an example of why DNS-based authentication on the back of DNSSEC is not going to solve the trust issues people have with certificate authorities -- it just transfers trust to entities equally vulnerable to attack.
There are a number of people who see embedding certificate information into the DNS and signing it into DNSSEC as the magic bullet to solve this CA problem and the Web browser trust problem, says Jeff Schmidt, founder and CEO of JAS Global Advisors, a consulting firm specializing in IT, risk governance, and strategic technology risk. In fact, thats not true. Youre just moving the problem around. In the very specific instance where I open my machine and go to www.bankofamerica.com, and I need someone to assure me the site that is displayed is actually www.bankofamerica.com and not something run by the Russian mafia, whether that problem is solved by a CA or the DNS or something else, I have to trust somebody. The question then becomes, who do I trust?
Immediately following the announcement of the breach, many security insiders were quick to point at the incident as yet another big CA breach that shakes the trust in SSL. However, though all indicators point to the fact that even VeriSign is not sure about exactly what assets were compromised in breach, Symantec said in a statement that it doesnt believe that attack affected the SSL business it acquired after the breach.
Symantec takes the security and proper functionality of its solutions very seriously, a Symantec spokesperson said. The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing.
[Researcher points to fundamental problems in SSL and DNSSEC, and says its time for users to take control of trust. See
Time For A Better Web Of Trust?
. ]
The SSL business could have made an attractive target, but it would have made just as much sense for sophisticated attackers to go after VeriSigns other infrastructure, Schmidt says.
They have their contract with the Department of Commerce to run significant parts of the Internet infrastructure, particularly the DNS root as well as running the largest two top level domains, he says. So they do have a lot of really important behind-the-scenes stuff, and it doesnt surprise me at all that the bad guys know that and have targeted them.
If the attackers were able to compromise any part of VeriSigns domain registry business, it shows the problem with the proposal set out by the DNS-based Authentication of Named Entities (DANE) Working Group at the IETF, which hopes to circumvent trust in CAs by rolling it up into the domain registry. This breach may well blow that idea out of the water, says Tim Moses, director of advance security at Entrust and chairman of the CA/Browser Forum.
So theres a part of the Internet community thats always been very suspicious of the SSL CAs. With the arrival of DNSSEC, they think theyve identified a way of basically replacing the CAs, he says. Currently the SSL CA has to confirm the identity of the certificate applicant, and they have to go to the registrar and say, Did you register these people with this domain name? So the [DANE] school of thought says, Why dont we cut out that step and just ask the registrar to issue the certificate? Cutting out a step and cutting some costs may sound plausible, says Moses, but it definitely wont improve security.
Its based on the unspoken idea that the registrars are going to be just as good or better at securing keys as the CAs are, he says. I think incidents like this drive home the question mark over that proposal.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
VeriSign Breach May Actually Reaffirm Commitment To CA Model