"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?
I found it refreshing -- an official didn't try to downplay the issue. The reporter likely included the comment verbatim for that very reason, as in, "OMG, this is super serial."
No but I re-read that sentence three times because of how poorly it was written. I don't think I've ever read a news article where a quoted person's description bridged two facts with the phrase "and before that".
I don't understand why we trust lone authentication services. They are single points of failure. SSL Certificates should be validated by a collection of independent certificate authorities. If not all of the authorities agree on the certificate, that's a sign there is hacking going on - or a sign that not all of the services have synchronized the certificate.
If we do it this way, a hacker who wants to try to imitate a site can't get away with compromising just one certificate authority. They'd have to compromise all of them, which (if there are enough) would be nearly impossible.
Well, how do you distribute trust? Do you have a quorum or something?
Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
> Well, how do you distribute trust? Do you have a quorum or something?
Basically, yes.
> Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
By not trusting you.
Right now, what happens is the browser and/or OS vendor determines a set of certificate authorities to declare "trusted", and all certificates they issue are simply assumed to be valid.
Instead, we could require, say, three signatures, each from different authorities, to invoke the normal "this is a secure connection to a properly-identified website" behavior.
But each of those authorities was still determined by the vendor to be trustworthy. It's still going to be the likes of e.g. VeriSign, Comodo, StartSSL, etc.. It's not going to be you.
That is in no way different than the current situation. If all of the dozens of trusted certificate authorities the world over has decided that they shouldn't provide certs for company X, you should probably be looking to company X for the problem, rather than the authorities.
In any case, users have always had the option of modifying the trust infrastructure or even ignoring it entirely.
Although this is perhaps an ill timed suggestion given that it is verisign in the news, I have long thought that DNSSEC would serve as a good mechanism for distributing public keys.
Perhaps in conjunction rather than opposition to the current CA system.
"SSL Certificates should be validated by a collection of independent certificate authorities"
That would greatly raise the cost of the SSL certificates. And I don't think that would be something that you could get the various providers to even agree on.
> That would greatly raise the cost of the SSL certificates.
$0 x N is still $0, and the difference between 1 EV certificate and 3 EV certificates is not going to put anybody who really thinks they need one out of business.
> And I don't think that would be something that you could get the various providers to even agree on.
Put simply, certificate authorities don't have a vote. It's up to the browser and OS vendors to set their own requirements for default trust.
If Google, Microsoft, Mozilla, and Apple declare that all SSL certificates lacking at least N valid signatures are treated by default as invalid, that's the ball game. If the current authorities don't play along, new authorities will.
Edit: I should also note that there's really no need for anybody to play along. You can ship a CSR off to as many authorities as you want for signatures, then assemble those signatures and your certificate in whatever form is used by your server and the browsers. The only possible response by an authority is revocation of their signature upon discovery that your certificate has been signed by other authorities, too. Such an action would make them a laughingstock.
Isn't the name of the issuing CA inserted into the the blob of ASN.1 that the CA signs?
I'm sure there have been various proposals over the years to allow it, but I don't think current X509 PKI in browsers accepts multiple signers on certs (except for odd cases like countersigned timestamps for Microsoft Authenticode code signing).
Sorry, I was speaking imprecisely and off the top of my head. You of course have to have multiple certificates, but the point is all that is necessary is for all of the certificates to be sent to the browser and for the browser to check them. It's entirely a question of browser<->server interaction.
You can get all of those certificates for the same hostname and key without any of the authorities even knowing the others exist.
Of course there are technical changes necessary in the browsers and web servers, but that's not the point. The SSL trust model is flawed and needs to be fixed, there are precious few options that won't involve some technical changes.
Another day, another APT reported by some company integral to the technological infrastructure of the US (and the world in this case). When will we take real, substantive action on this issue?
The only workable deterrent is the threat of a proportional (or more than proportional) response.
Since hacking is usually hard to pin down definitively to a single actor, and it's difficult to justify a conventional armed response, you probably want a response that has similar properties.
If you assume that China is the perpetrator, then the best response to hacking attacks is to let it be known to the Chinese government that any hacking attempts will be responded to by attempts to destabilize communist party control (encouraging dissidents through side-channels, developing/distributing tech to bypass the great firewall, etc)
Perhaps some kind of cyber-warfare non-proliferation treaty akin to START. Nation states agree to not launch APTs against eachother, and pledge to prosecute any of their citizens that launch such attacks independently.
First of all, START isn't even about non-proliferation. Has nothing to do with it. It's a series of agreements between two superpowers that served mostly as a diplomatic tool to de-escalate Cold War tensions and provide political cover for military budget reductions. It's been wildly successful in that regard.
The actual Nuclear Non-Proliferation Treaty is entirely about non-proliferation, a pre-emptive attempt to keep the capability of nuclear warfare out of the hands of most nations. It has absolutely nothing to do with preventing nuclear warfare between those nations already possessing them.
We haven't had nuclear war because so far, nobody who either actually wants to end the world, or is stupid enough to think he can "win" a nuclear war, has been in control of nuclear weapons. Not because of some piece of paper saying "I promise I won't kill you". Hilter had one of those with Stalin, how'd that work out?
"Cyber warfare" doesn't have the problems of nuclear warfare. It's unlikely to end the world, it's relatively cheap, the tools are widely available, and unlike physical warfare which destroys economies, it's actually about the economy. It's about getting a leg up on the competition. It's about money, period. The world some non-technical people live in where "cyber warfare" is all about winning actual wars is a world of fantasy.
In human history, only one thing has reliably stopped wars, and that is the tying together of nations' economies so closely that war between them becomes economically impossible. This just doesn't work in "cyber warfare".
At this point, VeriSign might as well be an instrumentality of the US government. The answer to your question is "When we take substantive action on the brokenness of the US political system".
The question is why don't you ever hear about some huge Chinese or Russian website being hacked? It seems most of these types of high level intrusions can be traced back to those two countries.
We can only HOPE that somewhere the US has a Top Secret Cyber Warfare group that's so good they never get caught.
> The question is why don't you ever hear about some huge Chinese or Russian website being hacked?
Well, I have, occasionally, heard about such things, but personally, I don't live in China or Russia, I don't speak Chinese or Russian, I don't really know any Russians, the only ethnic Chinese I know are either Silicon Valley residents or employees of a Taiwan-based company I work for as an engineer (and at least two of them are also US citizens and spent the vast majority of their careers in Silicon Valley!), and at the end of the day, I just don't really care what goes on with Chinese and Russian websites. I'd venture a guess that I'm not unusual in that regard amongst Americans or, for that matter, most other non-Russian and non-Chinese people in the world.
I'd also note that laws and business culture in both places may well be even less conversant to public revelation of security breaches than in the English-speaking world.
Thus, I would find it very odd if a western news agency spent much time reporting on the security of Chinese and Russian websites.
As an aside, registrar interactions with Verisign have several security layers involved to prevent someone from accessing and changing domain dns (we deal with this as a registrar). Of course those methods are only as secure as the particular registrar defenses are. As are the nameservers used in any particular domain.
From the filing: We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.
The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.
It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top... ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.
From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which was a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.
Of course it could be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.
"I think it's unfair for reuters to make this seem like a bigger deal than it might actually be"
The filing says:
"the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers"
The headline was:
"Key Internet operator VeriSign hit by hackers"
This wasn't the lead story on the nightly news. It was a Reuters article with a fair headline for what happened. The mere fact that they reported it in their filings but didn't disclose it to company management is a problem right there.
This delightful fear-mongering quote from a former DHSer is in the article:
"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
The point is that this was a small attack that affected a very small part of the company that they don't believe has any lasting implications to their business. You get an article with quotes like that from such a small attack, and it makes you raise an eyebrow.
This doesn't make sense. It is company management who writes the filings, not the network admins. How can it be in the filings but not go through management?
>He said he hoped new legislation on cybersecurity, expected to reach the Senate floor this month, would call for more disclosures and bring more aid to companies under attack.
Uh huh.
Interesting that a large argument against SOPA was that it would break the security of the internet. Now we are getting stories claiming that the internet is already broken and we'll need new laws to fix it.
Expect the laws needed to fix the security of the internet to also include fixing the "evils" of copyright "theft".
Am I the only that wonders if Symantec is the right company to be in control of verisign???
To me it seems that there would be a little bit of a conflict of interest around owning an antivirus company and the tool that tells you a site is who they say they are.
I know this sounds a little crazy, but think about it before you downvote me.
This article doesn't have much details on what the actually attack involved. Anyone have actual details. I would assume that VeriSign has a very segregated network and a breach somewhere would have a hard time propagating to their more important things like their CA signing server and .com stuff.
The (reported) fact that they were hacked repeatedly in 2010 and the CTO at that time (claims he) didn't learn of it until Reuters called him for a comment doesn't exactly paint a reassuring picture.
I bet Symantec is a little irritated that they bought the VeriSign^TM CA business in 2010. Are they going to want their money back?
If they can't prove there was no compromise of the private keys, will Symantec reissue the 30 year VeriSign root certs?
Interesting how the filing mentions the threat to their DNS business. Perhaps the potential risk to the root CA is no longer considered relevant since they've sold it?
Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?