Symantec To Buy VeriSign's Authentication Business 97
"Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."
FP (Score:5, Insightful)
Three models (Score:5, Insightful)
If security is the problem, certificates are basically never a good answer.
How else should I be sure that I am communicating with the entity I think I am communicating with? I can think of three models: certificate authority, web of trust, and key continuity management. If you're referring to key continuity management, the approach used by SSH that makes sure that the key you're using matches the key you used last time, that doesn't work if you're behind an ISP that's all MITM all the time. (Yes, these exist in the wild; see bug 460374 at bugzilla.mozilla.org.) If you're referring to a web of trust based on the Bacon number of mutual face-to-face meetings at key signing parties between you and a company's CIO, that doesn't work for people who can't attend such parties in major-league cities.
Re: (Score:3, Insightful)
It does (to a ridiculous degree of security, but not perfectly of course) guarantee that you're communicating with someone that VeriSign says is the entity you think you're communicating with. If you trust VeriSign (and essentially the entire internet does by default) then you can be sure.
Although Thawte is apparently a bit better, I've never had any reason to distrust VeriSign. But I definitely do not trust Symantec. Their "internet security suite" is what we in the biz like to call shitware.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
That's all nice and dandy, but it's also completely unfeasible. The problem isn't "how can I communicate completely securely", it's "how can anyone using a computer communicate with another through the Internet in the most secure way possible?"
HTTPS may flawed, but it's the best solution we got. Yours isn't a solution to the given problem.
Re: (Score:3, Interesting)
Doubly so given all the various articles posted here on flaws in SSL safety - starting, many years ago, with someone obtaining Microsoft's root certificates by, well, asking for them. The use of NULLs to produce fake certificates that seem valid, the breakage of MD5-secured SSL certificates -- there has been no shortage of problems for the approach.
The idea of webs of trust is that you can't go out and physically verify the path but you CAN ask others if they're confident that X really is X. In the event th
Re: (Score:2)
Who do I really need secure communications with?
My email provider, for one. That's tricky. My email provider is Google atm, so I pretty much have to trust a certificate signer if I want to use gmail over https.
But the other one is my bank. I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it. Why should I have to trust a third party? Because my bank is lazy?
Re: (Score:1)
Re: (Score:2)
Who do I really need secure communications with?
Any site that authenticates you using a name and password, for one, at least until every little blog, forum, and wiki starts taking your Gmail account over OpenID [google.com].
I'm totally cool with going to the branch office and picking up a biz-card CD, bar code, or whatever with the Bank's public key on it.
Some banks probably don't have branches in your area, such as Ally.
Re: (Score:2)
I dunno if I want to put my money in a bank I can't visit ever...
Re: (Score:2)
Consider that one of the biggest area of vulnerabilities is social engineering. If you trust the person behind the till (about whom you know nothing) to hand you a legitimate public key (which, without a third-part, you can't verify), then fine and good. On the other hand, if that same unknown (who might easily be a social engineer who has bluffed his or her way to the counter) hands you a fake key and you CAN verify it by verifying that it has been counter-signed by someone you independently trust, THEN yo
Re: (Score:2)
DNSSEC + RFC 2538
Re: (Score:2)
Oops, that RFC is obsoleted ... but you get the idea I hope.
Re: (Score:2)
Re: (Score:1, Insightful)
Try to implement https per spec. Make sure to have nothing sharp near you. Then you will understand.
Re:Three models (Score:4, Interesting)
Certificates are good and bad. If used in a smart WOT, they are great because if you have multiple people trusting someone, you know you are almost certain that that key belongs to that person.
The bad is just blindly trusting root certificates, especially certs from countries who are hostile to the West, and who would be happy to certify with their CA a key belonging to a known bank, then occasionally poisoning DNS or routing queries to the fake site, so they don't get immediately caught.
The best might be a combination all three. You have a "security cache" of keys or signed keys of places and people you have previously interacted with, which is crucial for ssh for the most secure communications. Next, you have a WOT with people you know trusting or not. Finally, you have a CA which may actually be valid, or not. CAs are really a part of WOT, and should be considered with little or no trust, compared to someone coming with (to continue the parent's example) a high Bacon number to yours. The only problem is someone who isn't familar with a WOT giving a key too high a trust that it deserves, but infiltration happens in every network, and with PGP or gpg, it is easy to mark a person's signatures as untrustworthy.
This reminds me of something different: Maybe it is time to get people and start doing PGP/gpg keysigning parties [1] again. This way,
[1]: Of course, there is the proper way of doing the key stuff. Send a list of public keys to the host, host prints out a list for everyone. Everyone then brings a copy of their key ID and hashes. Then go around matching the keys to the individual, perhaps asking for IDs, then circling the ones which pass the validity test. This way, no computers are used, and it is much harder to "compromise" someone's piece of paper showing vetted keys in the length of time it takes for them to leave the party and get home to sign everyone's keys and push the signatures to keyservers.
Re: (Score:2)
HTTP already has mechanisms to validate and secure data, which no one can patent as it's a standard
Care to explain which mechanisms these happen to be? I've got a Google Search input field ready to take keywords or RFC numbers.
Re:FP (Score:5, Funny)
Oh look, Darth Vader has switched allegiances... to Sauron!
Re:FP (Score:5, Funny)
Actually, I think it's great. Symantec builds lousy, overpriced products, Verisign sells insufficiently verified, overpriced EV certificates. It's a match made in heaven. Better yet, we only have to hate one company instead of two, because what's left of Verisign should be mostly harmless.
Re: (Score:2)
Well yeah except HP is the other company who is buying up all the crap software; so now we only have Symantec and HP to hate, oh and I guess Novell (kernel) Microsoft (everything), Apple (Flash), Google (Streetview), IBM (malware) and Oracle (OpenSolaris). Wow, thinking about it, can any company do anything right?
I actually tried PGP Desktop 10 the other day and it really is rubbish for 180 quid. Their registration server has been offline for 5 years their software won't work with any OpenPGP keyservers.
Sea
Re: (Score:2)
Similarly, Imagine how easy it is for governments and security agencies to get access to all this stuff when its from the one compromised company.
Re: (Score:1)
Everything it sells it bought somewhere, added its logo, and made it slower...
I think you figured it out. They use a 150GB logo file and just use height and width tags to shrink it to the right display size. That explains the slower-ness.
Re:Personal certificates aren't THAT profitable.. (Score:1)
Verisign's milk cow is their SSL certificates for websites.
They need a huge infrastructure to analyse and issue personal certificates. Profit margins are a lot lower in this case.
They're just cutting a not-so-profitable business and keeping their main income untouched.
Surely they can't... (Score:5, Funny)
Re:Surely they can't... (Score:5, Funny)
And once you install an SSL certificate, you'll never be able to completely remove it.
Re: (Score:1)
VM with a restore point is my answer.
Re: (Score:2)
They actually plan on making it like a worm, where it will check if the SSL Cert is there before duplicating it, but tricking applications into duplicating it anyways regardless if its there or not.
Thus everytime you visit a site with an SSL cert, you bog down your computer just a little bit more.
Re:Surely they can't... (Score:5, Funny)
Your computer is at risk!
Your Symantec SSL subscription has expired. All your secrets are visible to all users on the Internet. Click HERE to renew your Symantec SSL subscription.
Re: (Score:2)
And by funny, it would be "ha....ha....oh
Re: (Score:2)
For a limited time, get a free cert to use on any other system. Just copy this link onto another computer, click on it, and your FREE certificate will secure your system against against unknown threats.
Re: (Score:1)
Homer Simpson: NOOOOOO my secrets!
One single point of failure (Score:1)
Re: (Score:2)
Actually, tons of points of failure, each of which is equally critical. The PKI infrastructure is fundamentally flawed. Control VeriSign and you don't control the bulk Internet's public key infrastructure; you control the entirety of the Internet's public key infrastructure. Or you could control any other CA, or even any other intermediate CA. All it takes is one rogue or compromised CA to sign anything and everything that the attacker wants.
Better than hacking one company... (Score:3, Insightful)
instead, imagine you were a government official with no interest in civil rights and could quietly "persuade" one company and have access to the Root Certificate Authority...
Re: (Score:2)
Imagine one company controlled this and PGP too. Oh wait...
There's a lot of eggs ending up in one basket here...
Windows sector dragging rest of Internet down (Score:1, Redundant)
...into a black hole. These Symantec / Verisign / PGP mergers show how the utterly decrepit Windows PC market failure (desktop monopoly, plus a small handful of app vendors like Symantec) has made the Internet much more treacherous by failing to deliver reasonably secure systems. And now these incompetent and greedy beasts (who are in fact more interested in hobbling our computers to keep us on that 3-year upgrade cycle) are going to finish the job by devouring important Internet institutions.
Symantec: The
Surprised EMC didn't outbid them (Score:2)
I'm surprised that EMC didn't outbid them to get the Verisign certificate business, as well as for PGP earlier. It seems like it would have been a great fit with RSA, and EMC has oodles of cash for acquisitions.
Re: (Score:2)
Since Symantec has multiple backup programs, I really wish they would take the codebases of their two lines, and use them to make a really good next generation backup program, that eventually would phase out both BE and NetBackup.
For example, NetBackup allows for bare metal restores. But as soon as you restore, you must re-backup the box. Why not offer a facility to use the bare metal feature as a way to clone? Or shouldn't synthetic full backups be an innate part of the structure, like it is with TSM an
But surely they run antivirus (Score:5, Funny)
Imagine you could hack [Symantec] and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.
I'm sure they buy anti-virus and firewall software from a reputable vendor.
as juicy targets go... (Score:2)
Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure
Sure, that'd be a nightmare, if it was possible to "hack a company". If Symantec has any sense at all (and as a security company, they just might) they will keep the certificate authority separate from the antivirus update servers. There is no reason why rooting either one should be able to get you the other, whether they're controlled by the same company or not.
Re: (Score:2)
Well in the name of making everything more profitable and cheaper the consolidation of services will be done so that sooner or later the two offerings (AV and certs) will meet on the same server and an intruder will only need to root one machine. Its all about making money in every which way so the above is more true than anyone would like to think. Yes it is friggin sad.
Re: (Score:2)
More likely, they'll use a Hardware Security Module which are pretty tough. So far, I'm not aware of any remote vulnerabilities in them.
They even usually have a pretty good physical security.
Re: (Score:2)
HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key, you can go slaphappy signing/decrypting anything you want. And if this is a CA cert that is the top level for an enterprise, or a certificate signing an application, it might cause all kinds of trouble.
This also applies to smart cards. I'm sure eventually there will be malware that can do a MITM attack when a user is using a smart card.
Re: (Score:2)
"HSMs are pretty good. But if you manage to gain access as an authorized user or role with access to the key"
That's the reason behind the HSMs. NOBODY can access the root key inside them. Usually, the root private key is kept in a strict physical security (http://en.wikipedia.org/wiki/Key_Ceremony).
Also, ability to sign certificates doesn't allow you to decrypt the users' data. It only allows you to do a transparent MITM.
Symantec & information security (Score:4, Interesting)
Not related to SSL and stuff like that, but anyway: a few years ago I got a job working doing technical support for Symantec. During training, I was first embedded with the customer service-people, and watched them sit talk to customers, while they took down credit card numbers and other details on paper, which were later thrown out the the general office-trash.
A few days later I was supposed to do "technical training" with the so-called 2nd line support... The day I had to explain to one of them how to unlock the taskbar on Windows XP was the day I quit - after a total of 6 or 7 days of employment.
And who buys their stuff anyway? I haven't touched any of it since then so I don't know if anything has improved, but I remember how the Norton Security-packages idea of protecting the computer was to slow it down to a crawl and basically block everything. Not to mention what a mess it is (was?) to remove it from the system...
Re: (Score:2)
Few people that are sane buy their product, their main customers are OEM's, who they pay assloads to preinstall their shit, and the computer illiterate. The only even semi-ok symantec product is the corporate version, but even that sucks big donkey dick. I have also worked with their nightmare of a backup system, it is just as much crap. Oh and their support is even worse (source: GP)
Re: (Score:3, Interesting)
Most people make most of their purchases based on a blend of emotion and awareness. Computers are ubiquitous, computer skills are not. Therefore, there's a thriving market for products whose advertising makes you afraid of something and then they sell you the solution. It's the same in every industry. Symantec has a big name and they have lots of ads and people are afraid of the things their products pretend to protect them from. So it's a business model. And it doesn't matter if it's a shitty product if 95
Re: (Score:1)
Re: (Score:2)
Just like the PP, If I were to recommend an A/V defense to someone, I rather take the method of having strong locks on the doors as opposed to an alarm system that notifies if someone is already in. Here is what I'd do with Windows:
First barrier to entry: A true hardware firewalling router. Unless the machine is a laptop which travels around, desktop boxes should not be facing the Internet if at all possible (and they are not doing server functions). Some services can be handled either by a port forward
So, is Peter Norton going to show up? (Score:2)
Re: (Score:2)
In a godawful pink shirt [slashdot.org]...
Re: (Score:2)
Sorry, screwed the link [wikimedia.org]
the end is nigh (Score:3, Insightful)
Symantec, as the guardian of 'net security? (Score:3, Insightful)
it's business (Score:3, Insightful)
This is called diversification. Anti-virus is their flagship product, but the "benefit of the benefit" as they say in marketing is the warm fuzzy feeling of being secure. Well, certificates make people feel secure the same way AV does, so it fits the brand, so they're going to sell them. It's a great investment for them, I'm sure they'll make money on this deal.
All the time here on Slashdot I see people trying to read a technological message in a business decision or action. If you're puzzled or outraged by whatever Apple or Symantec or whoever are up to, just follow the dollar signs. This makes business sense and there's nothing more outrageous about Symantec selling certs than anyone else. Really. It's just business. There's no meaning here.
Re: (Score:2)
If they get PGP and GuardianEdge with this deal too, average computers will be as open to federal agents as the US telco system is today.
The ability of the feds to secure a persons electronic papers, by remote "reasonable" searches
Re: (Score:1)
Re: (Score:2)
That's certainly an interesting take on it, but the government lately has been making it pretty clear that when they want something, they get it whether or not the firm is “cooperative.” Besides that, I don't think SSL is used to protect the kinds of communications the government would like to snoop. There's dozens of steganography programs out there you can use to hide malicious data out in the open with little chance of detection, and there are much stronger forms of encryption available that
Re: (Score:2)
No, you are Wrong (Score:2)
Symantec are not Google or Apple or even Microsoft. They will not even be Verisign after acquiring that company. Not all corporations have the same work culture and Symantec in particular are a bunch of MBAs who are sucking the life out of the computing field. If they all spontaneously combusted today, they would not be missed by anyone but their shareholders for more than 5 minutes.
Hmm... what will change? (Score:2)
Let's see. Symantec makes overpriced, underperforming security software you can't get rid of in a glossy, well designed box.
So, essentially, the "secured by VeriSign" logo will look better.
... but smell worse. (Score:2)
... but smell worse.
Cheers,
Symantec gives me headaches (Score:3, Insightful)
The two Symantec products I use are the AV client / server line and Backup Exec. Both of which cause me nothing but trouble. This is going to be bad for everyone.
Re: (Score:2)
Sigh... Backup Exec was so awesome before it got bought by Symantec.. So simple, and easy..
Symantec has turned into he modern day CA. Its where good products go to die.
Really, how is CA still in business? Most people can't even name their products!
Re: (Score:2)
Symantec and the Feds (Score:3, Informative)
http://en.wikipedia.org/wiki/Magic_Lantern_(software)#Symantec
Then you have Symantec wanting to acquire the encryption companies PGP and GuardianEdge.
Soon many PC's will run to end Symantec solutions for all their data security.
Symantec: "The FBI's most trusted antiprivacy solution"
Re: (Score:1, Interesting)
Devil's advocate here: If a backdoor was found in PGP, (and so far none have been found, although there was the ADK issue about a decade ago), the company would be out of business immediately. People would ditch PGP for another solution in a heartbeat.
Already, PointSec, BestCrypt, or TrueCrypt offer hard disk encryption. Encryption of files can be done by gpg, and folders by tar or zip and gpg. Virtual hard disks can be created in BestCrypt, TrueCrypt, or FreeOTFE. Public/private keys can be handled by
Re: (Score:2)
Thats the problem, the spooks can get their fast to plaintext hooks into most private products via patriotism, faith, profits, blackmail or the "promotion" of a more gov friendly competitor.
By the time "public" maths and historians work out that it was all 'fixed', a generation has moved on. Investing in the next round of expensive, useless private solution.
Re: (Score:2)
That is nice to think but nobody can replace PGP at this point. As you point out in your post there are other technical and in many cases better solutions to everything PGP does; really does not matter though. PGP is entrenched, in government and guess what government spending is AT LEAST 1/6th of the GDP now. Want to work with the DOD you have to use PGP. If you are already doing PGP with your biggest client you are going to prefer to use the same solution as much as possible. PGP is safe from all the
Defacto Identity Authorty in For-Profit Hands? (Score:1)
Something as fundamental to business and security on the internet as a certificate-authority, shouldn't be at the mercy of a private, for-profit business. Imagine if passports or driver's licences were controlled by a private company who could sell that operation to anyone they wanted.
Even if Symantec were the most honest and scrupulous company in the world that could all change with no input from the real stake-holders, ie vritually everyone who uses the internet. They could make a mistake in their secur
Re: (Score:1)
shouldn't be at the mercy of a private, for-profit business.
So you'd rather trust the government or the church? There many companies in the cert business and nobody is forcing you to use one over another.
Re: (Score:1)
Yes I'd rather trust my government for issuing ID credentials. Would you trust a privately issued birth-certificate or passport over a government-issued one?
There are of course plenty of governments around the world who I wouldn't trust to do this, but there are plenty (including mine) who I would trust more than any private company in this area.
A private company is more likely to be bought, have their business practices changed in secret, or put profit above best-practice than the government of a develop
Re: (Score:1)
Certs have to be centrally stored somewhere, and you want to give the government all the information willingly?
The government of a developed, democratic nation
I do remember the US invaded Iraq under false pretense and got away with it.
Re: (Score:1)
Re: (Score:1)
not again... (Score:1)
Noooo.....
Every time I kill off my "last" Symantec app, they buy something else I'm using. It takes them 12-18 months to kill a product, and it takes me 24 months to swap it out.
Security Systems (Score:2)
Theora: What if some really dangerous people got control of it?
Murray: Who do you think controls it now?