SSL Certificate Hack Could Result In Raised Security Standards: Partners

By Stefanie Hoffman
September 01, 2011 7:12 PM ET

Page 3 of 3

Sockol said that if anything, the increased awareness incurred from the spate of attacks against SSL providers might place additional scrutiny on the remaining CAs and compel organizations to be more judicious in selecting a CA, while holding them accountable to a prescribed set of security standards.

“Maybe security professionals have to trust the trusted authorities a little less,” Sockol said. “Organizations might have to look for ways to have a system of checks and balances on their own trusted authorities.”

The latest DigiNotar incident might also open up marketplace readiness for new technology -- bolstered with greatly enhanced security mechanisms -- to validate Web sites, he said.

“The market may come out and say, ‘CAs aren’t good enough anymore,’” he said, adding that a selling point for new registrars will likely require “an increased level of validation, if they’re going to be trusted authorities.”

“Not all certificate authorities (CA) or SSL certificates are created equal. It’s important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes and procedures in place,” echoed Fran Rosch, Symantec vice president of trust services, in an e-mail.

Rosch also said that organizations should require that CA’s publish their security and authentication policies and undergo rigorous security audits to detect unknown vulnerabilities. They should also implement best practices to hire only trusted individuals and take steps to adequately protect their infrastructure to prevent potential breaches, Rosch added.

Meanwhile, Venafi’s Hudson said that it was incumbent on users to rely upon multiple CAs, in the event that one gets compromised.

“You cannot put all your eggs in one basket. If you do, and it gets comprised, you’d be out of business,” he said. “What everybody has to do is have multiple CAs.”

In addition, Hudson reinforced that users needed to have a remediation plan in the event of an SSL compromise. That recovery plan required the user to know where all their certificates were located while having a comprehensive strategy in place to switch from one CA to the other if necessary.

“The implication to people is that you better wake up. Get out of denial,” he said. “Understand that this is a huge issue of business continuity. And don’t think you’re not going to get compromised, because you are.”

<< Previous | 1 | 2 | 3

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	Name Of The Game: Top 10 States For Identity Theft A Federal Trade Commission report provides statistics on identity theft and fraud complaints in 2012. Learn which state has the dubious distinction of having the most victims.
	More Slide Shows