Inside the secret Symantec building that keeps websites safe

May 29, 2013 by Steve Johnson

Hidden within a nondescript building here is a highly secret Symantec facility protected by the sort of measures found in nuclear missile silos. Dubbed "the vault" by some employees, the bunkerlike operation bristles with guards, sensors, iris- and fingerprint-reading locks, and, deep within its labyrinthine confines, a room containing the most privileged data, to which only five people have the combination. All that is to ensure no one can sneak in and steal the information Symantec maintains to certify that thousands of widely used websites are legitimate, and that whatever is sent to and from the sites is encrypted against cyberattacks.

Although company officials say hackers frequently try to break into their , they say it has never been breached. And they are so proud of its physical protections, they recently let the San Jose Mercury News tour the hush-hush complex, on condition its exact location not be revealed.

While and some other prominent "certificate authorities" take security seriously, experts say, others in the business are far less careful. Citing several recent incidents, these experts contend it's often easy for hackers to compromise weak points in the system and steal , bank account filings, emails or other personal records.

"Right now the whole certificate-authority model is completely broken, but at the same time we have no valid alternative," said Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security. "It's going to take a disruption - something really bad will have to happen - and then we'll fix it."

According to research firm Netcraft, the Internet has more than 670 million websites, the vast majority with addresses beginning with HTTP - for hypertext transfer protocol - which experts say often can be easily hacked. But about 2 million sites for banks, retailers and others boast HTTPS addresses. That "S" means a certificate authority, like Symantec, has verified their operators' identity and that the information flowing in and out of the sites is encrypted. The sites bear a padlock icon in their addresses, some of which are green to indicate they've undergone additional verification.

But some of these Web destinations aren't as secure as they seem to be. By breaking into certificate authorities and issuing fake certificates, hackers can decrypt and steal information sent to and from these sites.

In 2011, when prominent Dutch certificate authority DigiNotar was hacked, an investigation determined about 300,000 Iranian Gmail accounts were accessed. The attack - widely believed to have been launched by the Iranian government to monitor dissidents – also created havoc in the Netherlands. Its citizens were warned to avoid online transactions and to correspond with the government only via paper, because Dutch authorities feared their own websites might not be safe.

As the world's biggest certificate authority, Symantec strives to avoid being similarly victimized. While it most fears cyberattacks, it also emphasizes the physical security of its location. Surveillance cameras, motion sensors and reinforced walls protect the Mountain View center.

Yet many experts say security procedures vary widely at other certificate authorities - whose numbers worldwide are estimated at anywhere from 65 to well over 100 - and that many of them aren't nearly as cautious. No single body polices them. And the standards that industry groups have proposed haven't been universally adopted, which has contributed to confusion about how certificate authorities operate.

"It is an extremely complicated, obscure bureaucracy that only a handful of experts on the planet understand," said Peter Eckersley of the Electronic Frontier Foundation.

One troubling mystery is how often certificate authorities get hacked, which is particularly difficult to determine with operations based overseas, said Adam Langley, a senior staff software engineer at Google.

Consequently, "there may be lots of small targeted attacks that we don't know about," he said, adding that "the general system is rather fragile."

Studies suggest many sites certified as safe may not be.

The Electronic Frontier Foundation last year found that thousands of certificates "used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption." As a result, it concluded, "tens of thousands of sites across the Web are vulnerable to eavesdroppers."

The Trustworthy Internet Movement, a nonprofit group that seeks to bolster Internet security, reported in April that only 22 percent of the 172,598 HTTPS sites it checked were secure.

And Netcraft recently warned that even when fraudulent HTTPS certificates are revoked, people can continue using those sites "for weeks or months without knowing anything is amiss," because browsers often are slow to warn them of the problem.

Recommendations for improving the system range from making more information about certifications public to requiring every to have HTTPS encryption. But during a recent federal workshop on the issue, researchers with the International Computer Science Institute in Berkeley, Calif., concluded, "There is no real solution in sight."

Others hope they are wrong.

"All this stuff is really critical in ensuring that e-commerce continues to be viable, so we all feel safe shopping on the Internet," said Paul Meijer, senior director of Symantec's secret center. "That just benefits everybody."

CERTIFYING SAFE SITES

The vast majority of the more-than 670 million Internet sites have addresses that begin with HTTP - for hypertext transfer protocol - which experts say often can be easily hacked.

About 2 million sites operated by banks, retailers and others boast HTTPS addresses. The "S" means a certificate authority has verified the identity of the sites' operators and that information flowing to and from the sites is encrypted.

A padlock icon appears in their addresses, some of which are green to indicate they've undergone additional verification.

But experts say security precautions vary among the scores of certificate authorities around the world, making it possible for hackers to sometimes decrypt and steal information sent to and from HTTPS sites.

Explore further: US warns shops to watch for customer data hacking

4.3 /5 (7 votes)
add to favorites email to friend print save as pdf

Related Stories

Experts suspect Iran involvement in Dutch hacking

Sep 05, 2011

(AP) -- Hackers who broke into a Dutch web security firm have issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the ...

Second firm warns of concern after Dutch hack

Sep 07, 2011

A company that sells certificates guaranteeing the security of websites, GlobalSign, said Tuesday it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers.

Dutch launch Iran IT hacking probe

Sep 06, 2011

The Dutch secret service has opened an investigation to determine who falsified 531 Internet security certificates in order to snoop on users in Iran, the Dutch Interior Ministry said Tuesday.

Recommended for you

US warns shops to watch for customer data hacking

11 hours ago

The US Department of Homeland Security on Friday warned businesses to watch for hackers targeting customer data with malicious computer code like that used against retail giant Target.

Fitbit to Schumer: We don't sell personal data

Aug 22, 2014

The maker of a popular line of wearable fitness-tracking devices says it has never sold personal data to advertisers, contrary to concerns raised by U.S. Sen. Charles Schumer.

Should you be worried about paid editors on Wikipedia?

Aug 22, 2014

Whether you trust it or ignore it, Wikipedia is one of the most popular websites in the world and accessed by millions of people every day. So would you trust it any more (or even less) if you knew people ...

How much do we really know about privacy on Facebook?

Aug 22, 2014

The recent furore about the Facebook Messenger app has unearthed an interesting question: how far are we willing to allow our privacy to be pushed for our social connections? In the case of the Facebook ...

Philippines makes arrests in online extortion ring

Aug 22, 2014

Philippine police have arrested eight suspected members of an online syndicate accused of blackmailing more than 1,000 Hong Kong and Singapore residents after luring them into exposing themselves in front of webcam, an official ...

Google to help boost Greece's tourism industry

Aug 21, 2014

Internet giant Google will offer management courses to 3,000 tourism businesses on the island of Crete as part of an initiative to promote the sector in Greece, industry union Sete said on Thursday.

User comments : 0