« Gone Rogue - Lessons Not Learnt | Main | Dangers of Safety Mechanisms »


Don Baker

Headlines like those seen over the last month really just reinforce the fact that not all certificate authorities (CA) or SSL certificates are created equal. It’s important for organizations to choose their CA carefully to ensure they have thorough and effective authentication processes and procedures in place. Organizations should also ensure that the CA’s publish these policies and undergo rigorous security audits. In addition, it is time to “raise the bar” on standards for CA’s. CA’s should implement best practices to hire only trusted individuals and adequately protect their infrastructure to prevent potential breaches. One of my colleagues at Symantec posted more here, which might be helpful to your readers: http://bit.ly/qR126K


@Don Baker - I think you're missing the point. Google didn't use or choose DigiNotar as their CA and false wildcard SSL certs for google.com were able to be generated. In fact, it looks like they use Equifax. So whilst it's important to choose a reputable CA for the reasons your colleague identifies, in this instance that would not have helped Google from being subject to this attack.


The comments to this entry are closed.