Following the news that Symantec fired 3 employees after Google’s engineers found rogue SSL certificates issued in its name, please find comment below from Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi.
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi :
“Rogue SSL certificates in the wild? This is nothing new. Certificate Authorities (CAs) are constantly being bombarded to issue new certificates for bad guys looking to spoof websites and execute Man-in-the-Middle attacks. While it appears these certificates we’re not obtained by fraud or meant to do harm, the response and reaction from Google to sound alarms is appropriate.
With the use of more encryption, organisations everywhere are going to be requesting more certificates so these rogue certs are going to get through. In this case, these were extended validation certificates that are supposed to be of the highest security. In fact, if these weren’t extended validation certificates, and required to be in a Certificate Transparency log because of Google Chrome, then we might not know about this issue. It’s one of the reasons why Certificate Reputation that goes beyond just Certificate Transparency to include hunting for possible malicious certificates on the Internet is so important.
Larger CAs like Symantec and their CA brands probably have great fraud programs and good teams, but how about the other 200 or more CAs that don’t have the same level of security controls? Their certificates are trusted just like Symantec’s. Cyber criminals who want certificates faster can easily get them from other CAs who do minimal fraud checks, have weak security controls, or fewer and less equipped staff.
If we make encryption our default, we’ll see more of these types of incidents and they won’t be accidents, especially with the federal government, since agencies are being told to use more encryption. It raises an important question: how do I stop another government CA from issuing a certificate or compelling a CA in their country to issue a .gov or .mil certificate? You simply can’t.”[/su_note][su_box title=”About Venafi” style=”noise” box_color=”#336588″]Venafi is the Immune System for the Internet™ and protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates. Venafi patrols across the network, on devices, and behind the firewall, constantly assessing which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not.
As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to protect keys and certificates and eliminate blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations regain control over keys and certificates by establishing what is self and trusted on mobile devices, applications, virtual machines and network devices and out in the cloud. Venafi protects Any Key. Any Certificate. Anywhere™. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.
Venafi customers are among the world’s most demanding, security-conscious Global 5000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners, and Origin Partners.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.