Your web browsers, by default, trust many organizations you're probably not familiar with. Many are located in countries overseas, some in not so friendly areas of the world. But what diligence has your organization done on these companies, if any? This may represent a security hole that doesn't show up in your risk assessments.
A Certificate Authority (CA) is an organization or system which has the ability to digitally sign SSL certificates. These are the governing bodies of the SSL encryption that is used nearly everywhere on the web for transferring sensitive data securely. By default your browser trusts CAs like Microsoft, GoDaddy and others. Without these trust relationships you'd have to manually configure them or hit 'OK' every time you went to a SSL site. So default Trusted CAs are a good thing.
But that means these organizations are trusted implicitly with the security of some of your organization's most protected online transactions. What due diligence have you done on these providers that your browser trusts? Have you determined the sufficiency of their SAS 70 report? Do you know whether or not they report to you any data breaches which may have affected your confidential transmissions? Do you really want to explicitly trust foreign-owned companies with any information that may interest their government?
For some organizations this may be tin foil hat material. For others, though, this may pose a real security risk. If you're interested in learning more about this kind of thing there is plenty of material published on SSL Certificate attacks. If these are combined with more traditional attacks such as DNS poisoning, man-in-the-middle, ARP spoofing and others, they could become a very real threat to your organization.
A Certificate Authority (CA) is an organization or system which has the ability to digitally sign SSL certificates. These are the governing bodies of the SSL encryption that is used nearly everywhere on the web for transferring sensitive data securely. By default your browser trusts CAs like Microsoft, GoDaddy and others. Without these trust relationships you'd have to manually configure them or hit 'OK' every time you went to a SSL site. So default Trusted CAs are a good thing.
But that means these organizations are trusted implicitly with the security of some of your organization's most protected online transactions. What due diligence have you done on these providers that your browser trusts? Have you determined the sufficiency of their SAS 70 report? Do you know whether or not they report to you any data breaches which may have affected your confidential transmissions? Do you really want to explicitly trust foreign-owned companies with any information that may interest their government?
For some organizations this may be tin foil hat material. For others, though, this may pose a real security risk. If you're interested in learning more about this kind of thing there is plenty of material published on SSL Certificate attacks. If these are combined with more traditional attacks such as DNS poisoning, man-in-the-middle, ARP spoofing and others, they could become a very real threat to your organization.