VeriSign Breach May Actually Reaffirm Commitment To CA Model

Proposals, like DANE, to roll up certificate issuance into DNS show that trusting domain registrars just as risky as trusting CAs
Regardless of whether the SSL business VeriSign sold to Symantec was compromised in the 2010 security breach that came to light last week, security experts believe the breach still has Web authentication ramifications. Some pundits say the incident should be held up as an example of why DNS-based authentication on the back of DNSSEC is not going to solve the trust issues people have with certificate authorities -- it just transfers trust to entities equally vulnerable to attack.

"There are a number of people who see embedding certificate information into the DNS and signing it into DNSSEC as the magic bullet to solve this CA problem and the Web browser trust problem," says Jeff Schmidt, founder and CEO of JAS Global Advisors, a consulting firm specializing in IT, risk governance, and strategic technology risk. "In fact, that's not true. You're just moving the problem around. In the very specific instance where I open my machine and go to, and I need someone to assure me the site that is displayed is actually and not something run by the Russian mafia, whether that problem is solved by a CA or the DNS or something else, I have to trust somebody. The question then becomes, who do I trust?"

Immediately following the announcement of the breach, many security insiders were quick to point at the incident as yet another big CA breach that shakes the trust in SSL. However, though all indicators point to the fact that even VeriSign is not sure about exactly what assets were compromised in breach, Symantec said in a statement that it doesn't believe that attack affected the SSL business it acquired after the breach.

"Symantec takes the security and proper functionality of its solutions very seriously," a Symantec spokesperson said. "The Trust Services (SSL), User Authentication (VIP, PKI, FDS) and other production systems acquired by Symantec were not compromised by the corporate network security breach mentioned in the VeriSign, Inc. quarterly filing."

[Researcher points to fundamental problems in SSL and DNSSEC, and says it's time for users to take control of trust. See Time For A Better Web Of Trust?. ]

The SSL business could have made an attractive target, but it would have made just as much sense for sophisticated attackers to go after VeriSign's other infrastructure, Schmidt says.

"They have their contract with the Department of Commerce to run significant parts of the Internet infrastructure, particularly the DNS root as well as running the largest two top level domains," he says. "So they do have a lot of really important behind-the-scenes stuff, and it doesn't surprise me at all that the bad guys know that and have targeted them."

If the attackers were able to compromise any part of VeriSign's domain registry business, it shows the problem with the proposal set out by the DNS-based Authentication of Named Entities (DANE) Working Group at the IETF, which hopes to circumvent trust in CAs by rolling it up into the domain registry. This breach may well blow that idea out of the water, says Tim Moses, director of advance security at Entrust and chairman of the CA/Browser Forum.

"So there's a part of the Internet community that's always been very suspicious of the SSL CAs. With the arrival of DNSSEC, they think they've identified a way of basically replacing the CAs," he says. "Currently the SSL CA has to confirm the identity of the certificate applicant, and they have to go to the registrar and say, 'Did you register these people with this domain name?' So the [DANE] school of thought says, 'Why don't we cut out that step and just ask the registrar to issue the certificate?'" Cutting out a step and cutting some costs may sound plausible, says Moses, but it definitely won't improve security.

"It's based on the unspoken idea that the registrars are going to be just as good or better at securing keys as the CAs are," he says. "I think incidents like this drive home the question mark over that proposal." Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.