Inside the secret Symantec building that keeps websites safe

May 29, 2013 by Steve Johnson

Hidden within a nondescript building here is a highly secret Symantec facility protected by the sort of measures found in nuclear missile silos. Dubbed "the vault" by some employees, the bunkerlike operation bristles with guards, sensors, iris- and fingerprint-reading locks, and, deep within its labyrinthine confines, a room containing the most privileged data, to which only five people have the combination. All that is to ensure no one can sneak in and steal the information Symantec maintains to certify that thousands of widely used websites are legitimate, and that whatever is sent to and from the sites is encrypted against cyberattacks.

Although company officials say hackers frequently try to break into their , they say it has never been breached. And they are so proud of its physical protections, they recently let the San Jose Mercury News tour the hush-hush complex, on condition its exact location not be revealed.

While and some other prominent "certificate authorities" take security seriously, experts say, others in the business are far less careful. Citing several recent incidents, these experts contend it's often easy for hackers to compromise weak points in the system and steal , bank account filings, emails or other personal records.

"Right now the whole certificate-authority model is completely broken, but at the same time we have no valid alternative," said Jeremiah Grossman, founder of Santa Clara, Calif.-based WhiteHat Security. "It's going to take a disruption - something really bad will have to happen - and then we'll fix it."

According to research firm Netcraft, the Internet has more than 670 million websites, the vast majority with addresses beginning with HTTP - for hypertext transfer protocol - which experts say often can be easily hacked. But about 2 million sites for banks, retailers and others boast HTTPS addresses. That "S" means a certificate authority, like Symantec, has verified their operators' identity and that the information flowing in and out of the sites is encrypted. The sites bear a padlock icon in their addresses, some of which are green to indicate they've undergone additional verification.

But some of these Web destinations aren't as secure as they seem to be. By breaking into certificate authorities and issuing fake certificates, hackers can decrypt and steal information sent to and from these sites.

In 2011, when prominent Dutch certificate authority DigiNotar was hacked, an investigation determined about 300,000 Iranian Gmail accounts were accessed. The attack - widely believed to have been launched by the Iranian government to monitor dissidents – also created havoc in the Netherlands. Its citizens were warned to avoid online transactions and to correspond with the government only via paper, because Dutch authorities feared their own websites might not be safe.

As the world's biggest certificate authority, Symantec strives to avoid being similarly victimized. While it most fears cyberattacks, it also emphasizes the physical security of its location. Surveillance cameras, motion sensors and reinforced walls protect the Mountain View center.

Yet many experts say security procedures vary widely at other certificate authorities - whose numbers worldwide are estimated at anywhere from 65 to well over 100 - and that many of them aren't nearly as cautious. No single body polices them. And the standards that industry groups have proposed haven't been universally adopted, which has contributed to confusion about how certificate authorities operate.

"It is an extremely complicated, obscure bureaucracy that only a handful of experts on the planet understand," said Peter Eckersley of the Electronic Frontier Foundation.

One troubling mystery is how often certificate authorities get hacked, which is particularly difficult to determine with operations based overseas, said Adam Langley, a senior staff software engineer at Google.

Consequently, "there may be lots of small targeted attacks that we don't know about," he said, adding that "the general system is rather fragile."

Studies suggest many sites certified as safe may not be.

The Electronic Frontier Foundation last year found that thousands of certificates "used to authenticate HTTPS sites are effectively useless, owing to weak algorithms used to generate the random numbers that are needed for encryption." As a result, it concluded, "tens of thousands of sites across the Web are vulnerable to eavesdroppers."

The Trustworthy Internet Movement, a nonprofit group that seeks to bolster Internet security, reported in April that only 22 percent of the 172,598 HTTPS sites it checked were secure.

And Netcraft recently warned that even when fraudulent HTTPS certificates are revoked, people can continue using those sites "for weeks or months without knowing anything is amiss," because browsers often are slow to warn them of the problem.

Recommendations for improving the system range from making more information about certifications public to requiring every to have HTTPS encryption. But during a recent federal workshop on the issue, researchers with the International Computer Science Institute in Berkeley, Calif., concluded, "There is no real solution in sight."

Others hope they are wrong.

"All this stuff is really critical in ensuring that e-commerce continues to be viable, so we all feel safe shopping on the Internet," said Paul Meijer, senior director of Symantec's secret center. "That just benefits everybody."


The vast majority of the more-than 670 million Internet sites have addresses that begin with HTTP - for hypertext transfer protocol - which experts say often can be easily hacked.

About 2 million sites operated by banks, retailers and others boast HTTPS addresses. The "S" means a certificate authority has verified the identity of the sites' operators and that information flowing to and from the sites is encrypted.

A padlock icon appears in their addresses, some of which are green to indicate they've undergone additional verification.

But experts say security precautions vary among the scores of certificate authorities around the world, making it possible for hackers to sometimes decrypt and steal information sent to and from HTTPS sites.

Explore further: Google users in Iran targeted in certificate scam


Related Stories

Experts suspect Iran involvement in Dutch hacking

September 5, 2011

(AP) -- Hackers who broke into a Dutch web security firm have issued hundreds of bogus security certificates for spy agency websites including the CIA as well as for Internet giants like Google, Microsoft and Twitter, the ...

Second firm warns of concern after Dutch hack

September 7, 2011

A company that sells certificates guaranteeing the security of websites, GlobalSign, said Tuesday it is temporarily halting the issuance of new certificates over concerns it may have been targeted by hackers.

Cyber attack on Europe exposes big flaws in Internet security

September 12, 2011

A major cyber attack in Europe that apparently was launched from Iran has revealed significant vulnerabilities in the Internet security systems used to authenticate websites for banking, email and e-commerce around the world.

Dutch launch Iran IT hacking probe

September 6, 2011

The Dutch secret service has opened an investigation to determine who falsified 531 Internet security certificates in order to snoop on users in Iran, the Dutch Interior Ministry said Tuesday.

Recommended for you

Volvo to supply Uber with self-driving cars (Update)

November 20, 2017

Swedish carmaker Volvo Cars said Monday it has signed an agreement to supply "tens of thousands" of self-driving cars to Uber, as the ride-sharing company battles a number of different controversies.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.