If we do it this way, a hacker who wants to try to imitate a site can't get away with compromising just one certificate authority. They'd have to compromise all of them, which (if there are enough) would be nearly impossible.
Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
Basically, yes.
> Consider this ... what if I wanted to introduce doubt that X is really verified, and thereby hurt their business. How can you avoid me doing stuff like that? Besides harsh laws of course.
By not trusting you.
Right now, what happens is the browser and/or OS vendor determines a set of certificate authorities to declare "trusted", and all certificates they issue are simply assumed to be valid.
Instead, we could require, say, three signatures, each from different authorities, to invoke the normal "this is a secure connection to a properly-identified website" behavior.
But each of those authorities was still determined by the vendor to be trustworthy. It's still going to be the likes of e.g. VeriSign, Comodo, StartSSL, etc.. It's not going to be you.
Perhaps in conjunction rather than opposition to the current CA system.
That would greatly raise the cost of the SSL certificates. And I don't think that would be something that you could get the various providers to even agree on.
$0 x N is still $0, and the difference between 1 EV certificate and 3 EV certificates is not going to put anybody who really thinks they need one out of business.
> And I don't think that would be something that you could get the various providers to even agree on.
Put simply, certificate authorities don't have a vote. It's up to the browser and OS vendors to set their own requirements for default trust.
If Google, Microsoft, Mozilla, and Apple declare that all SSL certificates lacking at least N valid signatures are treated by default as invalid, that's the ball game. If the current authorities don't play along, new authorities will.
Edit: I should also note that there's really no need for anybody to play along. You can ship a CSR off to as many authorities as you want for signatures, then assemble those signatures and your certificate in whatever form is used by your server and the browsers. The only possible response by an authority is revocation of their signature upon discovery that your certificate has been signed by other authorities, too. Such an action would make them a laughingstock.
Got any new ideas? (seriously)
Since hacking is usually hard to pin down definitively to a single actor, and it's difficult to justify a conventional armed response, you probably want a response that has similar properties.
If you assume that China is the perpetrator, then the best response to hacking attacks is to let it be known to the Chinese government that any hacking attempts will be responded to by attempts to destabilize communist party control (encouraging dissidents through side-channels, developing/distributing tech to bypass the great firewall, etc)
We can only HOPE that somewhere the US has a Top Secret Cyber Warfare group that's so good they never get caught.
Well, I have, occasionally, heard about such things, but personally, I don't live in China or Russia, I don't speak Chinese or Russian, I don't really know any Russians, the only ethnic Chinese I know are either Silicon Valley residents or employees of a Taiwan-based company I work for as an engineer (and at least two of them are also US citizens and spent the vast majority of their careers in Silicon Valley!), and at the end of the day, I just don't really care what goes on with Chinese and Russian websites. I'd venture a guess that I'm not unusual in that regard amongst Americans or, for that matter, most other non-Russian and non-Chinese people in the world.
I'd also note that laws and business culture in both places may well be even less conversant to public revelation of security breaches than in the English-speaking world.
Thus, I would find it very odd if a western news agency spent much time reporting on the security of Chinese and Russian websites.
Does anyone else feel this line is more suited to a Hollywood movie than a Reuters release?
I don't see anything wrong with that.
From the filing: We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to Management.
In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (“DNS”) network. Information stored on the compromised corporate systems was exfiltrated. The Company’s information security group was aware of the attacks shortly after the time of their occurrence and the group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.
The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the Company’s management concluded that our disclosure controls and procedures are effective. However, the Company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the Company’s disclosure controls and procedures in this area. See Item 4 “Controls and Procedures” in Part I of this report.
It's interesting to note that the SEC issued guidelines on the reporting of security breaches on October 13th, 2011 ( http://www.sec.gov/divisions/corpfin/guidance/cfguidance-top... ) and VeriSign's SEC filing was released about two weeks later on October 28th, 2011. It could be the case that the security breach wasn't actually a major one, but because the SEC guidelines were so new they thought it prudent to mention even a minor security breach.
From this filing, there's no way to know the severity of the breach, which is why I think it's unfair for reuters to make this seem like a bigger deal than it might actually be. (They mention the RSA security breach which was a huge deal, and they suggest the attack was done by a "nation-state".) It reads like an article written by Nancy Grace.
Of course it could be the case that this was a major attack carried out by China, but it could also be a mundane attack on a public web server that wouldn't have made the news if not for the timing of the recent SEC guidelines. There's just no way to know from the information available.
"I think it's unfair for reuters to make this seem like a bigger deal than it might actually be"
The filing says:
"the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers"
The headline was:
"Key Internet operator VeriSign hit by hackers"
This wasn't the lead story on the nightly news. It was a Reuters article with a fair headline for what happened. The mere fact that they reported it in their filings but didn't disclose it to company management is a problem right there.
"Oh my God," said Stewart Baker, former assistant secretary of the Department of Homeland Security and before that the top lawyer at the National Security Agency. "That could allow people to imitate almost any company on the Net."
The point is that this was a small attack that affected a very small part of the company that they don't believe has any lasting implications to their business. You get an article with quotes like that from such a small attack, and it makes you raise an eyebrow.
Uh huh.
Interesting that a large argument against SOPA was that it would break the security of the internet. Now we are getting stories claiming that the internet is already broken and we'll need new laws to fix it.
Expect the laws needed to fix the security of the internet to also include fixing the "evils" of copyright "theft".
I bet Symantec is a little irritated that they bought the VeriSign^TM CA business in 2010. Are they going to want their money back?
If they can't prove there was no compromise of the private keys, will Symantec reissue the 30 year VeriSign root certs?
EDIT: The SEC filing is here (keyword "breach") https://investor.verisign.com/secfiling.cfm?filingID=1193125...
Interesting how the filing mentions the threat to their DNS business. Perhaps the potential risk to the root CA is no longer considered relevant since they've sold it?
Whatever security problems Verisign has had, Symantec's are far worse.
To me it seems that there would be a little bit of a conflict of interest around owning an antivirus company and the tool that tells you a site is who they say they are.
I know this sounds a little crazy, but think about it before you downvote me.
