Verisign got hacked but didn't tell anyone!!!!

[Guest]

[Melih]

http://finance.yahoo.com/news/Key-Internet-operator-rb-2857339070.html?x=0

http://verisignhacked.tumblr.com/

[kitmub]

wow 

first its norton now is verisign what will be next and what will the virtual population do now 

but then again there always a chance of something or someone bypassing security

the question that matters is how much and what was compromised,

though reputation gives a really high pressure for anyone


  and im not good in high pressure or quick thinking 

[Melih]

the important thing is "trust"...
to earn trust, you have to be transparent.

its a shame that Verisign chose not to be transparent.

[w-e-v]

I think its time for COMODO to innovate.

The article talks about many people thinking that SSL certificates is not a secure mechanism anymore (I save my personal opinion on this subject).

Guess with the trust COMODO have earned, its a good candidate to propose.

[HeffeD]

its a shame that Verisign chose not to be transparent.

It's a bit scary when you think about it.

[Melih]

It's a bit scary when you think about it.

This is why Comodo is the Trusted brand now, because we are always transparent and honest with our users.

[axl]

This is why Comodo is the Trusted brand now, because we are always transparent and honest with our users.

Melih, you make good product but no business is always transparent with its customers.

[Radaghast]

This is pretty extraordinary reading, basically, Verisign got hacked two years ago, they have no idea how badly, or what was stolen/changed/left behind. Management f****d up by not reporting it sooner and to cover their collective butts, they point fingers at poor reporting structures and the worker bees. Urm! Hello! we're talking Root server gatekeeper here! I think there needs to be some pretty hard questions asked here.

[Radaghast]

VeriSign admits multiple hacks in 2010 , keeps details under wraps ...

Tantry said one source had told him that a root certificate had, in fact, been compromised.

 

Symantec declined to comment further on the VeriSign hacking admission.

[MartiusD]

The article at http://features.techworld.com/security/3317789/ssl-certificates-under-fire-as-hacking-incidents-pile-up/ gives a good idea of the current state-of-play.

It has already been demonstrated that SSL can be hacked without using fraudulent certificates. See http://forums.comodo.com/general-discussion-off-topic-anything-and-everything/hackers-break-ssltls-encryption-t76556.0.html

I doubt that anything will change until a really serious hack occurs. So far the band-aid fix when (and if) a hack is reported is to revoke certificates issued by the hacked company. Unfortunately this takes time to implement and has allowed fraudulent use of certificates to occur. If a really large number of certificates had to be revoked there would be total chaos trying to securely access large numbers of sites, and not revoking them would be a very high risk alternative. This problem has been in the too-hard basket for many years, because it was claimed to be only a "theoretical vulnerability" before hacks actually started to happen.

The bottom line is that no amount of checks and digital signing can make the current SSL mechanism 100% secure because no company authorised to issue them can guarantee its servers are 100% hacker-proof, or that all its employees are 100% trustworthy.

Does anyone know of any serious alternatives to SSL being developed? I haven't heard of any, but I am not a security expert.

Assuming no decent SSL alternative is in the pipeline I would suggest that Comodo and other major security companies should get together to offer a large prize (e.g. $10 million) to anyone who can come up with a real and workable solution to providing secure connections.

[Melih]

http://verisignhacked.tumblr.com/

[brightness]

So what do this mean to us end-users?

Does it mean that when we see a site with a Versign certificate we shouldn't trust it?

[JamesFrance]

This is getting a wider exposure.

VeriSign boasts of over 110m registered domains. The subversion of just one of these could affect millions of consumers, government agencies and corporate web users in a single day. This ought to have prompted the company to alert its partners immediately, to limit any potential damage. Burying the breach under the mountain of impenetrable prose in a securities filing will be a blot on VeriSign's otherwise spotless record for years to come.

http://www.economist.com/blogs/babbage/2012/02/internet-security?fsrc=gn_ep&google_editors_picks=true

[Tags:]