Symantec made a trio of announcements expanding its Website Security Solutions portfolio on Wednesday, designed to help increase the security and performance needs for businesses.
The announcement has three “firsts,” Deena Thomchick, director of product marketing for Symantec’s Website Security Solutions division told SecurityWeek. First, Symantec began offering encryption algorithms other than RSA for its SSL certificates for Web servers. Second, the company will improve certificate management with new features to its SSL management service and new code signing service. Finally, the company launched a new service to protect businesses from malvertisements, Thomchick said.
Organizations now have the option to have SSL certificates that use the Elliptic Curve Cryptography (ECC) instead of the more traditional RSA keys, Robert Hoblit, senior director of product management in the Website Security Solutions division at Symantec, told SecurityWeek. While there is nothing wrong with the RSA algorithm and Symantec believes the algorithm will continue to be widely used for the foreseeable future, many organizations are interested in using other algorithms, Hoblit said. The reasons may be as varied as regulatory requirements or just a plain personal preference.
RSA is currently the only choice in SSL certificates; Symantec is just giving organizations a choice. In fact, with this announcement, Symantec will also be offering organizations certificates using the Digital Signature Algorithm (DSA), which was developed by the National Security Agency as an alternative to RSA.
With Symantec, the organization can pick which algorithm they want to use to enhance their security, Hoblit said.
ECC is a different cryptographic algorithm that supports faster processing speed at lower bit lengths while still being difficult to brute-force. DSA offers the same security and key length as RSA, but it is calculated using a different mathematical algorithm.
As keys get longer and more complex, they generally become computationally intensive to create and slower to use. A National Security Agency analysis cited by Symantec found that 256-bit ECC certificates are equivalent to a 3072-bit RSA certificate in terms of security. ECC’s smaller bit-length will mean it will be faster to use without compromising security. In fact, in its tests, Symantec found that ECC had better server-to-desktop performance and response time than RSA certificates.
The timing is good for Symantec, as the National Institute of Standards and Technology is requiring sites that comply with federal regulations to switch from RSA 1024-bit keys to 20148-bit by Jan. 1, 2014. The change is widely regarded as a precautionary measure, to have sites adopt longer-length cryptographic keys in order to make it harder for attackers trying to break the encryption. Organizations may take this opportunity to switch to a more complex algorithm altogether than just generating the same RSA certificates, Hoblit said.
Because Symantec will start offering its customers access to a different cryptographic algorithm to generate digital certificates, Web browsers have to be able to process the alternate information. Symantec has already been working to make sure its ECC SSL certificate technology will be accepted, Hoblit said. Companies such as Google, Akamai, and Juniper Networks plan to integrate ECC into their environments, Symantec said. Apache now also offers an “ECC-optimizing version” for administrators to use on Web servers, Hoblit said.
Administrators struggle to track all the SSL certificates used within the organization and making sure they are being used correctly, Hoblit said. In an SSL global customer survey conducted earlier this month, Symantec found that companies using more than 2,000 SSL certificates reported an average loss of $222,000 in 2012 due to “certificate mishaps,” Hoblit said. Issues include certificates expiring unexpectedly, rogue certificates being generated, certificates being used incorrectly, and security breaches.
The Certificate Intelligence Center cloud service now has new management and automation capabilities to manage the certificate lifecycle, beginning with installations and going all the way through renewals, upgrades, and revocations, Hoblit said. The cloud service can also give customers a comprehensive view of the entire SSL portfolio with integrated monitoring, reporting, and rating functions.
The company is also delivering a hosted code-signing service for companies and app stores to secure their third-party and company owned applications, Symantec said. The new cloud-based service verifies that applications are trusted and authentic, Hoblit said.
The final announcement from Symantec is about AdVantage, a secure cloud-based advertising and media service that offers real-time monitoring, notification, and detailed forensics of instances of malvertising. Symantec had rolled out an early version of the service to about 15 companies over the past year, and found more than 50 percent had experienced at least one malvertisement, Hoblit said. Ad networks and publishers can use the service to detect when malicious ads are introduced and take steps to remediate immediately.
