Earlier this week Palo Alto Networks released an emergency content release to remove DigiNotar as a trusted CA in PAN-OS and to block any signatures signed by them. Customers who have not yet refreshed should refer to Emergency Content Release 265-1115 available via the Palo Alto Networks Support site.
This measure of course comes in the wake of the news that DigiNotar has been compromised and hackers were able to generate fraudulent certificates for hundreds of domains including Google and Yahoo. This exposure is very similar to, yet far more extensive than the Comodo breach seen earlier in the year, and is the latest example of attacks that are targeting some of the foundational building blocks of IT security. This is just the latest reminder that we should bring a healthy skepticism into any discussion of “trust” in our networks, and why full visibility into all traffic is increasingly a requirement for any credible approach to network security.
Trust, but verify.