The DigiNotar breach is being called the worst breach so far. Breaches come in all shapes and sizes, but when they occur on the very systems that are supposed to protect us, the impact is more widespread.
Certainly this is not the first Certificate Authority breach, Comodo is just one recent example of SSL Certificate Authorities breaches. Engineers know that there is far more to learn from failure than success. Bridge engineers study famous failures such as the Tacoma Narrows Bridge to learn how to make stronger bridges. Aeronautic engineers study downed planes. What might Information Security learn from the recent problems at SSL Certificate Authorities like DigiNotar?
The first lesson is – Don’t Put All Your Eggs in One Basket. A main factor in why the SSL Certificate Authority Breaches of this year have been hard to contain is how much trust security architects put in the protocol. Related to this the second lesson then is – Have a Layered Defense. The Principle of Defense in Depth is that when one component fails there are other controls in place, however many systems trust that SSL will provide all the security they need. This naively misses the areas of data confidentiality, integrity, application security and other security concerns. The SSL Certificate Authority breaches won’t stop people from using SSL to protect their systems, and that is a good thing, but hopefully it will stop people from using SSL only to protect Web services and other systems.
The third lesson is – Stop Hitting the Snooze Button. As application technology evolves, the security architecture must step up to the challenge and meet the new technology with stronger controls.
SSL has served security architects well, but security architecture must be more than just “Network Firewalls and SSL”, Security Gateways offer concrete improvements to access control through strong identity protocols like SAML and oauth, better visibility with audit logging and monitoring, and the ability to tailor the right mix of Defense in Depth controls to the deployment. For more ideas in this space, have a look at the Security Gateway Buyer’s guide which looks at the state of play for security architects beyond just SSL.
**
Secure Coding Training Class: Mobile AppSec Triathlon
Do you have what it takes to complete a triathlon on three vital topics in the mobile world: Mobile application security, web services security, and mobile identity management?
Come join two leading experts, Gunnar Peterson and Ken van Wyk, for the first Mobile App Security Triathlon, in San Jose, California, on November 2-4, 2011.
Headlines like those seen over the last month really just reinforce the fact that not all certificate authorities (CA) or SSL certificates are created equal. It’s important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes and procedures in place. Organizations should also ensure that the CA’s publish these policies and undergo rigorous security audits. In addition, it is time to “raise the bar” on standards for CA’s. CA’s should implement best practices to hire only trusted individuals and adequately protect their infrastructure to prevent potential breaches. One of my colleagues at Symantec posted more here, which might be helpful to your readers: http://bit.ly/qR126K
Posted by: Don Baker | September 27, 2011 at 05:13 PM
@Don Baker - I think you're missing the point. Google didn't use or choose DigiNotar as their CA and false wildcard SSL certs for google.com were able to be generated. In fact, it looks like they use Equifax. So whilst it's important to choose a reputable CA for the reasons your colleague identifies, in this instance that would not have helped Google from being subject to this attack.
-David
Posted by: david | September 28, 2011 at 10:01 PM