Actu
Versign Attack – Is this the tip of the iceberg for SSL Attacks?
February 2012 by VeriSign
Verisign have revealed that hackers have taken stolen undisclosed information on numerous occasions. Below is a comment responding to this story from Rob Rachwald, Director of Security Strategy at Imperva:
The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published.
The article speculates that penetrating SSL certificates may have been a key target of the attack.
Until August 2010, VeriSign was one of the largest providers of Secure Sockets Layer certificates, which Web browsers look for when connecting users to sites that begin "https," including most financial sites and some email and other communications portals.
If the SSL process were corrupted, "you could create a Bank of America certificate or Google certificate that is trusted by every browser in the world," said prominent security consultant Dmitri Alperovich, president of Asymmetric Cyber Operations.
This shouldn’t surprise anyone. As we wrote late in 2011, while a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL), attackers are increasingly focusing their attacks against the various components of SSL. We are seeing a rise in attacks which target the worldwide infrastructure that supports SSL. We expect these attacks to reach a tipping point in 2012 which, in turn, will invoke a serious discussion about real alternatives for secure web communications. The VeriSign attack highlights that the tipping point may have actually arrived in 2011.
