SSL Certificate Hack Could Result In Raised Security Standards: Partners

A recent cyber attack against SSL provider DigiNotar has left Google, Mozilla and an untold number of domains scrambling to blacklist the rogue certificates that have jeopardized the security of their networks.

The incident has undermined trust in the SSL process, but channel partners say it could bolster security standards for partnering certification authorities [CAs], while reinforcing the need for alternative failsafe mechanisms, including vulnerability scans.

Channel partners say that the DigiNotar hack has weakened the sense of security users have in SSL certification.

’If you can’t trust the trusted authority, who in the cloud can I trust? If the trusted authority can’t do enough, then how do we rely on anyone else?’ asked David Sockol, president of Emagined Security, a security solution provider based in Santa Clara, Calif. ’The biggest lesson learned? We can’t really trust anyone, including ourselves, and we need checks and balances.’

The SSL issue began July 19, when Swiss certification authority DigiNotar, a subsidiary of VASCO Data Security International, discovered that it had issued compromised certificates for a wide swath of domains, including Google.com.

Upon discovering the rogue certificates, DigiNotar revoked the certifications and ’acted in accordance with all relevant rules and procedures,’ the company said in a press release.

However, one certificate apparently fell through the cracks when DigiNotar said earlier this week said it had failed to revoke at least one fraudulent certificate used in an attack believed to be perpetrated by hackers to target victims in Iran, prompting the company to suspend its sale of SSL and EVSSL certificates.

DigiNotar said in a statement Tuesday that the July attack resulted in ’the fraudulent issuance of public key certificate request for a number of domains, including Google.com,’ although the company failed to mention other affected companies by name or the number that were impacted. However, DigiNotar’s certificate revocation list shows that the company recalled more than 100 of its certificates over the last two months.

Certification authorities, or CAs, digitally sign Web pages, which provides a trusted symbol authenticating online property protected by secure socket layer, or SSL. Cyber criminals who obtain the encryption keys are able to execute attacks on users by taking control of the affected pages and all of the content that is entered on them, for spoofing and man-in-the-middle assaults.

Meanwhile, the consequences are currently unraveling for affected customers. Earlier this week, security researchers discovered phony Web certificate for Google.com circulating on the Internet, which enabled attackers to access the cryptographic keys in order to forge Gmail, Google Docs and possibly dozens to hundreds of other Google applications.

’The hackers are really sophisticated. They’re going after the high value targets, and they know what they’re doing,’ said Jeff Hudson, CEO of Venafi, an Internet security company providing enterprise key and certificate management solutions. ’If they compromise (a CA), they can become anybody they want to be.’

In an effort to harden its security against an imminent threat, Google Chrome blacklisted 247 more SSL credentials this week. Also upon news of the intrusion, Microsoft, Firefox and other firms said that they planned to issue updates blocking SSL certificates issued by DigiNotar.

Next: SSLs Not A Hallmark Of Security, Partners Say

In general, channel partners contend that DigiNotar’s rogue SSL disaster indicates an overwhelming and often unbalanced reliance on SSL certificates as a hallmark of security.

’Companies that rely just on SSL -- that’s all that it is. They’re looking it. They’ve got a check mark. They don’t know that their web site is vulnerable,’ said Dennis London, partner and vice president of Fountain Valley, Calif.-based London Security Solutions.’There are too many people relying just on that little check mark."

’Just seeing that check mark has always been a false sense of security,’ Sockol added. ’Nothing has changed. Very few people click on that locked icon and validate that it’s their trusted authority.’

London said that while the DigiNotar hack doesn’t necessarily diminish the importance of SSLs, the incident underscores the need for organizations to conduct separate and regular vulnerability scans in order to detect security holes or compromises that may have emerged since the SSL was issued.

The issue also provides a conversation starter that allows channel partners to get in the door with their customers by emphasizing the importance of vulnerability scans to pass audits and prevent major security disasters, including rogue SSL certifications, he said.

’If they have externally facing web sites and databases, or if they have to adhere to PCI and HIPAA and any of the other compliance models, they need to have daily scans,’ London said. ’A lot of people are taking SSLs for granted. This may end up opening their eyes a bit more.’

Meanwhile, DigiNotor is just one of several CAs that have experienced a major compromise in recent months. Earlier this year, hackers targeted the SSL certificate authority Comodo by going after four of its resellers earlier this year in attacks that enabled them to gain unauthorized access to sensitive data.

During the attack, hackers launched a SQL injection assault that exploited vulnerabilities in a Comodo reseller’s Web site that allowed them to take control of the site’s backend server. The attackers then posted two data files that exposed information related to certificate signing requests, which included employee e-mail addresses, user IDs and passwords.

The spate of attacks prompted the company to revoke the signing privileges of all its resellers and implement a two-factor authentication system for them to use.

Next: CAs Might Face Additional Scrutiny Sockol said that if anything, the increased awareness incurred from the spate of attacks against SSL providers might place additional scrutiny on the remaining CAs and compel organizations to be more judicious in selecting a CA, while holding them accountable to a prescribed set of security standards.

’Maybe security professionals have to trust the trusted authorities a little less,’ Sockol said. ’Organizations might have to look for ways to have a system of checks and balances on their own trusted authorities.’

The latest DigiNotar incident might also open up marketplace readiness for new technology -- bolstered with greatly enhanced security mechanisms -- to validate Web sites, he said.

’The market may come out and say, ’CAs aren’t good enough anymore,’’ he said, adding that a selling point for new registrars will likely require ’an increased level of validation, if they’re going to be trusted authorities.’

’Not all certificate authorities (CA) or SSL certificates are created equal. It’s important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes and procedures in place,’ echoed Fran Rosch, Symantec vice president of trust services, in an e-mail.

Rosch also said that organizations should require that CA’s publish their security and authentication policies and undergo rigorous security audits to detect unknown vulnerabilities. They should also implement best practices to hire only trusted individuals and take steps to adequately protect their infrastructure to prevent potential breaches, Rosch added.

Meanwhile, Venafi’s Hudson said that it was incumbent on users to rely upon multiple CAs, in the event that one gets compromised.

’You cannot put all your eggs in one basket. If you do, and it gets comprised, you’d be out of business,’ he said. ’What everybody has to do is have multiple CAs.’

In addition, Hudson reinforced that users needed to have a remediation plan in the event of an SSL compromise. That recovery plan required the user to know where all their certificates were located while having a comprehensive strategy in place to switch from one CA to the other if necessary.

’The implication to people is that you better wake up. Get out of denial,’ he said. ’Understand that this is a huge issue of business continuity. And don’t think you’re not going to get compromised, because you are.’