10 Feb When Certificate Authority Business Models and Vendor Certificate Policies Clash Kurt Baumgartner
04 Jan The Top 10 Security Stories of 2011 Costin Raiu
05 Oct Kaspersky Lab at Virus Bulletin 2011 Ryan Naraine
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
A very important “internet trust” discussion is underway that has been hidden behind closed doors for years and in part, still is. While the Comodo , Diginotar, and Verisign Certificate Authority breaches forced discussion and action into the open, this time, this “dissolution of trust” discussion trigger seems to have been volunteered by Trustwave's policy clarification, and followup discussions on Mozilla's bugzilla tracking and mozilla.dev.security.policy .
The issue at hand is the willful issuance of subordinate CAs from trusted roots for 'managing encrypted traffic', used for MitM eavesdropping, or wiretapping, of SSL/TLS encrypted communications. In other words, individuals attempting to communicate over twitter, gmail, facebook, their banking website, and other sensitive sites with their browser may have their secure communications unknowingly sniffed - even their browser or applications are fooled. An active marketplace of hardware devices has been developed and built up around tapping these communications. In certain lawful situations, this may be argued as legitimate, as with certain known DLP solutions within corporations. But even then, there are other ways for corporate organizations to implement DLP. Why even have CA's if their trust is so easily co-opted? And the arbitrary issuance of these certificates without proper oversight or auditing in light of browser (and other software implemented in many servers and on desktops, like NSS ) vendor policies is at the heart of the matter. Should browser, OS and server software vendors continue to extend trust to these Certificate Authorities when the CA’s activities conflict with the software vendors’ CA policies?
BARCELONA -- The annual Virus Bulletin conference kicks off here tomorrow with anti-malware researchers discussing a wide range of important issues facing the industry.
Researchers from Kaspersky Lab will have a major presence at the conference this year -- nine speaker slots! -- with talks on the cyber-crime underground, mobile (Android) malware, web application security and social network threats.
I'd like to call attention to a few of the important Kaspersky Lab presentations: