In 2011, the government of the Netherlands released a harrowing must-read account of the hacker takedown of a large Dutch certificate authority called DigiNotar. The frankly not terribly sophisticated attack effectively bankrupted the company and vaporized a $12.9 million investment by a firm called Vasco, which had bought DigiNotar earlier that year.
Not surprisingly, similar but bigger CAs such as DigiCert and Entrust have invested in ambitious cooperative security plans. But just like the rest of the wobbly Web, the race-to-the-bottom digital age economics makes law and order elusive.
"Certificate authorities were complex and lucrative at one point," Alberto Yepez, said managing director at Trident Capital, a major Silicon Valley security venture shop, when we later spoke at another nearby watering hole. "But now they're becoming commoditized."
The upside on Web risk
This all leads to an only-in-the-Internet-age investor upside: Considering that everyone from Facebook (FB) to The New York Times to Burger King (BKC) is mitigating embarrassing, value-affecting security lapses, the crumbling CA infrastructure actually offers a tantalizing lens into which firms take security seriously -- and which do not.