Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec To Buy VeriSign's Authentication Business

Posted by timothy on from the watch-that-basket-carefully dept.

overThruster writes "Security giant Symantec is taking another step toward global domination of the information security market with the purchase of VeriSign's authentication business. Back in April it purchased PGP Corporation and GuardianEdge. VeriSign is the best known Certificate Authority; they are virtually synonymous with certificates for SSL and PKI. It seems like this could dilute the trust value of their brand rather than enhance it. It is not clear yet what effects this will have on VeriSign customers but the cynic in me says it can't be good. In terms of putting all your eggs in one basket, this will sure make Symantec a juicy target for hackers (as if they weren't already). Imagine you could hack one company and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure."

5 of 97 comments (clear)

  1. FP by Obstin8 · · Score: 5, Insightful

    Nothing good can come of this...

  2. Surely they can't... by dov_0 · · Score: 5, Funny

    Find a way to make SSL certification slow down your computer as well? Maybe they intend to slow down the whole internet?!?

    --
    sudo mount --milk --sugar /cup/tea /mouth /etc/init.d/relax start
    1. Re:Surely they can't... by ascari · · Score: 5, Funny

      Your computer is at risk!

      Your Symantec SSL subscription has expired. All your secrets are visible to all users on the Internet. Click HERE to renew your Symantec SSL subscription.

  3. But surely they run antivirus by Culture20 · · Score: 5, Funny

    Imagine you could hack [Symantec] and control a large chunk of endpoint security software and the bulk of the Internet's public key infrastructure.

    I'm sure they buy anti-virus and firewall software from a reputable vendor.

  4. Three models by tepples · · Score: 5, Insightful

    If security is the problem, certificates are basically never a good answer.

    How else should I be sure that I am communicating with the entity I think I am communicating with? I can think of three models: certificate authority, web of trust, and key continuity management. If you're referring to key continuity management, the approach used by SSH that makes sure that the key you're using matches the key you used last time, that doesn't work if you're behind an ISP that's all MITM all the time. (Yes, these exist in the wild; see bug 460374 at bugzilla.mozilla.org.) If you're referring to a web of trust based on the Bacon number of mutual face-to-face meetings at key signing parties between you and a company's CIO, that doesn't work for people who can't attend such parties in major-league cities.