Breaches Raise Questions about SSL Security

The recent breach at Dutch digital certificate authority DigiNotar is just the latest in series of troubling SSL hacks. Earlier this year, Comodo alerted its customers to a serious SSL breach that impacted nine Web domains, including Google and Yahoo. Now with details emerging about the attack on DigiNotar’s SSL and EV-SSL CA system, we think it’s time to take a closer look at SSL security. In fact, in July NCP engineering* released a whitepaper “Debunking the Myths of SSL VPN Security,” taking on this very topic. So using this whitepaper as a guide, VPN Haus is launching a multi-part series that the asks questions: why do so many high profile breaches occur using SSL VPN? Do users simply not implement the technology correctly? Or does SSL fall short of the marketing hype? We’ll dig for these answers by exploring the following SSL VPN myths: Myth 1: Using trusted certificates from a certificate authority (CA) is airtight. Myth 2:  One-way certificate authentication of a SOA web service is secure because it uses HTTPS. Myth 3: Online banking via SSL session is secure. Myth 4: Java Authentication and Authorization Services (JAAS) framework handles all protocols and mechanisms in a secure manner. Myth 5: Two-way certificate exchange between a SOA web service and a client can always be trusted. Myth 6:  RSA SecurID provides a secure connection. Myth 7: Thick-client SSL VPNs are more secure than thin-client SSL VPNs. Myth 8: Security is the responsibility of a specialist department. Moreover, Myth 1 deals head-on with issue Comodo, and now DigiNortar, faced with its fraudulent certificates. More on that soon. But for...

The World After IPv6 Day: A Conversation with Comodo's Paul Lee

We’re happy to report the Internet is still standing nearly a week after IPv6 Day. More than 400 organizations — including heavyweights like Google and Facebook – enabled the much talked-about IPv6 standard on their websites. Overall, no major outages were reported. Now what? Well, Facebook plans to leave its developer site dual-stacked, supporting both IPv4 and IPv6 and Google will enable IPv6 access for only the users of its Google over IPv6 program. At VPN Haus, we spoke with Paul Lee, director of IT at Comodo, about what his company learned from IPv6 Day. VPN Haus: Can you tell me how Comodo enabled its main page to IPv6 enabled? Paul Lee: We implemented dual stack on both the webservers (our NGINX platform that runs them), the kernel of said machines, firewalls and all of our core and edge Juniper comms equipment. We used GRE tunnels internally. [Comodo enabled 22 sites, in addition to its main page.] VPN Haus: What are the key issues and lessons that came to light as a result of this experiment – both for Comodo and on a higher-level for all participating organizations? Lee: When taking full routes from upstream providers, IPv6 has a lot more address space and so simple things like more RAM for routers is needed to hold the greater number routes (as IPv6 adoption takes hold, this will be a bigger problem). Ensuring that the kernel of machines is IPv6 enabled as well as any software running on them (can cause unforeseen issues). We learned that adoption is very small at the moment, with a greater proportion of users in...

The World After IPv6 Day: A Conversation with Comodo’s Paul Lee

We’re happy to report the Internet is still standing nearly a week after IPv6 Day. More than 400 organizations — including heavyweights like Google and Facebook – enabled the much talked-about IPv6 standard on their websites. Overall, no major outages were reported. Now what? Well, Facebook plans to leave its developer site dual-stacked, supporting both IPv4 and IPv6 and Google will enable IPv6 access for only the users of its Google over IPv6 program. At VPN Haus, we spoke with Paul Lee, director of IT at Comodo, about what his company learned from IPv6 Day. VPN Haus: Can you tell me how Comodo enabled its main page to IPv6 enabled? Paul Lee: We implemented dual stack on both the webservers (our NGINX platform that runs them), the kernel of said machines, firewalls and all of our core and edge Juniper comms equipment. We used GRE tunnels internally. [Comodo enabled 22 sites, in addition to its main page.] VPN Haus: What are the key issues and lessons that came to light as a result of this experiment – both for Comodo and on a higher-level for all participating organizations? Lee: When taking full routes from upstream providers, IPv6 has a lot more address space and so simple things like more RAM for routers is needed to hold the greater number routes (as IPv6 adoption takes hold, this will be a bigger problem). Ensuring that the kernel of machines is IPv6 enabled as well as any software running on them (can cause unforeseen issues). We learned that adoption is very small at the moment, with a greater proportion of users in...