Page 3 of 3
Sockol said that if anything, the increased awareness incurred from the spate of attacks against SSL providers might place additional scrutiny on the remaining CAs and compel organizations to be more judicious in selecting a CA, while holding them accountable to a prescribed set of security standards.
“Maybe security professionals have to trust the trusted authorities a little less,” Sockol said. “Organizations might have to look for ways to have a system of checks and balances on their own trusted authorities.”
The latest DigiNotar incident might also open up marketplace readiness for new technology -- bolstered with greatly enhanced security mechanisms -- to validate Web sites, he said.
“The market may come out and say, ‘CAs aren’t good enough anymore,’” he said, adding that a selling point for new registrars will likely require “an increased level of validation, if they’re going to be trusted authorities.”
“Not all certificate authorities (CA) or SSL certificates are created equal. It’s important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes and procedures in place,” echoed Fran Rosch, Symantec vice president of trust services, in an e-mail.
Rosch also said that organizations should require that CA’s publish their security and authentication policies and undergo rigorous security audits to detect unknown vulnerabilities. They should also implement best practices to hire only trusted individuals and take steps to adequately protect their infrastructure to prevent potential breaches, Rosch added.
Meanwhile, Venafi’s Hudson said that it was incumbent on users to rely upon multiple CAs, in the event that one gets compromised.
“You cannot put all your eggs in one basket. If you do, and it gets comprised, you’d be out of business,” he said. “What everybody has to do is have multiple CAs.”
In addition, Hudson reinforced that users needed to have a remediation plan in the event of an SSL compromise. That recovery plan required the user to know where all their certificates were located while having a comprehensive strategy in place to switch from one CA to the other if necessary.
“The implication to people is that you better wake up. Get out of denial,” he said. “Understand that this is a huge issue of business continuity. And don’t think you’re not going to get compromised, because you are.”