Slashdot Mirror


Symantec To Buy VeriSign's Authentication Business

overThruster writes "Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."

2 of 97 comments (clear)

  1. Symantec & information security by Zedrick · · Score: 3, Interesting

    ha ha ha.

    Not related to SSL and stuff like that, but anyway: a few years ago I got a job working doing technical support for Symantec. During training, I was first embedded with the customer service-people, and watched them sit talk to customers, while they took down credit card numbers and other details on paper, which were later thrown out the the general office-trash.

    A few days later I was supposed to do "technical training" with the so-called 2nd line support... The day I had to explain to one of them how to unlock the taskbar on Windows XP was the day I quit - after a total of 6 or 7 days of employment.

    And who buys their stuff anyway? I haven't touched any of it since then so I don't know if anything has improved, but I remember how the Norton Security-packages idea of protecting the computer was to slow it down to a crawl and basically block everything. Not to mention what a mess it is (was?) to remove it from the system...

  2. Re:Three models by mlts · · Score: 3, Interesting

    Certificates are good and bad. If used in a smart WOT, they are great because if you have multiple people trusting someone, you know you are almost certain that that key belongs to that person.

    The bad is just blindly trusting root certificates, especially certs from countries who are hostile to the West, and who would be happy to certify with their CA a key belonging to a known bank, then occasionally poisoning DNS or routing queries to the fake site, so they don't get immediately caught.

    The best might be a combination all three. You have a "security cache" of keys or signed keys of places and people you have previously interacted with, which is crucial for ssh for the most secure communications. Next, you have a WOT with people you know trusting or not. Finally, you have a CA which may actually be valid, or not. CAs are really a part of WOT, and should be considered with little or no trust, compared to someone coming with (to continue the parent's example) a high Bacon number to yours. The only problem is someone who isn't familar with a WOT giving a key too high a trust that it deserves, but infiltration happens in every network, and with PGP or gpg, it is easy to mark a person's signatures as untrustworthy.

    This reminds me of something different: Maybe it is time to get people and start doing PGP/gpg keysigning parties [1] again. This way,

    [1]: Of course, there is the proper way of doing the key stuff. Send a list of public keys to the host, host prints out a list for everyone. Everyone then brings a copy of their key ID and hashes. Then go around matching the keys to the individual, perhaps asking for IDs, then circling the ones which pass the validity test. This way, no computers are used, and it is much harder to "compromise" someone's piece of paper showing vetted keys in the length of time it takes for them to leave the party and get home to sign everyone's keys and push the signatures to keyservers.