VeriSign SSL Hackable - Comodo Exposes, VeriSign Denies

[Guest]

[Melih]

Verisign SSL hackable - Comodo exposes, Verisign denies


This is so sad.
The way Verisign dealt with this so irresponsibly is so very sad.

I do wish they had simply acknolwedged the vulnerability to us in private, we would have been more than happy to work with them on this.

There are simply no winners when things get this messy. Everyone is a loser, Verisign, Comodo and Verisign' customers. Shame....very irresponsible way of dealing with the issue..

And on the background I heard that Verisign has already changed their Server configuration to stop Google from Indexing it.....yet they deny there was anything wrong.....If there was nothing wrong, as they claimed, why are they changing server configuration now?

Verisign

[jay2007tech]

VeriSign responded, "We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways

Yeah, but that public information is a VeriSign customer account of a major financial institution can be easily accessed without authentication

It sounds like Verisign is trying to play down the problem

[Melih]

Yeah, but that public information is a VeriSign customer account of a major financial institution can be easily accessed without authentication

It sounds like Verisign is trying to play down the problem

they are indeed!

If they go fix it while playing it down will make them look untrustworthy.

Melih

[Chiron]

Is this response given here incorrect?
https://blogs.verisign.com/ssl-blog/2010/06/incorrect_reports_of_verisign.php

It actually sounds reasonable to me. Where am I wrong in my thinking?

[jay2007tech]

(Example)
That's like me being able to find a way to hack into Citibank, then reports it to verisign.  They play down the situation (like it's not a big deal), but I'm willing to bet that Citibank thinks it's a big deal


If Verisign DENIES and/or DOESN'T fix it for Major financial institutions, can you imagine how verisign handles there small businesses or home users accounts!!!!!!!!

Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
A. No.

That's because comodo didn't release it to the public(In the wild), they used a third-party to tell Verisign the problem.

Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
A. No.

That's because comodo reported it before some hacker figured it.

[Chiron]

After looking on line, it seems Verisign got bought out by Symantec (makers of nortan)

Yes they were.

(Example)
That's like me being able to find a way to hack into Citibank, then reports it to verisign.  They play down the situation (like it's not a big deal), but I'm willing to bet that Citibank thinks it's a big deal.

I think I see the point. Is it that Comodo was able to (remotely) access information that was supposed to only be publicly accessible from within the specific corporation?

From the article I linked to and Melih's article this appears to be the situation. Is this accurate?

[Melih]

We now have no choice but to reveal this info we provided to Verisign. Afterall they don't think its a vulnerability. So I guess its ok for us to reveal it.

PLEASE NOTE: THIS POST IS WRITTEN ONLY AND ONLY AFTER VERISIGN PUBLICLY DECLARED THEY HAVE NO VULNERABILITY AND WHAT COMODO REPORTED IS NOT A VULNERABILITY ACCORDING TO VERISIGN, HENCE WHATEVER IS CONTAINED HEREWITH CANNOT BE CONSIDERED DAMAGING TO VERISIGN OR ITS CUSTOMERS BY VERISIGN'S ADMISSION.


Verisign put themselves in a very difficult position by denying this is a vulnerability. Let me explain why.

If they don't fix the issue, then they will continue to run an infrastructure that has its weakest link as this password/passphrase. (And I can't believe that banks who fall under FDIC guidelines could possibly operate their operations with this kind of infrastructure, while they are required to have 2 factor authentication for their own customers)

If they fix the issue, then they will look pretty stupid for denying it in the first place!

Verisign, the choice is yours

The attached document is what was provided to Verisign last week. And they were told about our timescales (we told them we would do it on Monday via email).

PS: Tim Callan wrongly interprets guidelines. If Verisign accepted there was a vulnerability, then Comodo would work with Verisign in making sure it was addressed, without going public. Because Verisign denied that it was vulnerability, that left Comodo with no alternative but to go public. Disclosure guidelines relate to Vulnerabilities that both parties acknowledge, It is very difficult to fix a vulnerability if the vendor does not admit it is a vulnerability. As far as Verisign is concerned it was not a vulnerability, hence his point about disclosure guidelines is simply wrong!

Melih

[SpeedyPC]

What I can say about Verisign in two words B LL S T!  

[patrice58]

In Tim Callan's blog here https://blogs.verisign.com/ssl-blog/2010/06/incorrect_reports_of_verisign.php one good point was made which was. Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.

Nor do I so why?

Ah ok fair enough.

[burebista]

Nor do I so why?

Creating Trust Online™ 

Does it matter why? For me it looks more important that they discovered something instead asking why choose VeriSign to check.

[Melih]

In Tim Callan's blog here https://blogs.verisign.com/ssl-blog/2010/06/incorrect_reports_of_verisign.php one good point was made which was. Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.

Nor do I so why?

its on our document...we were not....we were searching google!!!!

[Melih]

Verisign thinks its ok to have a "Revocation" button publicly available for large banks', so that anyone who can guess the password/passphrase can revoke it from anywhere in the world!!!


Verisign also thinks its ok to publish domains associated with a Bank so that phishers have easy time to figure out which domains they should use next in their phishing attacks.

Verisign also thinks its ok to publish the email addresses of the admin so that social engineering attacks can be mounted!!!

Did Verisign tell its customers that their information is available on Google?

I would like to see Verisign answering these questions, rather then burying their head in the sand and thinking everything is hunky dory!

Melih

[Melih]

Why is Verisign allowing their customer's accounts to be indexed by Google?

What is the benefit?

Melih

[Melih]

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD270&actp=LIST&viewlocale=en_US

Now Verisign will have a 6 hour outage to do "maintanence" work on their Certificate Manager.

I thought Verisign said there was no vulnerability

Melih

[jay2007tech]

Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.

Propably because they stumbled upon it, Verisign should be gratefull that one of there competitors stumbled it and had it reported

Verisign will have a 6 hour outage to do "maintenance" work on their Certificate Manager.

If comodo didn't report it, there wouldn't be no 6 hour outage.  They should replace the word "maintenance work" to "vulnerably repair" work

[Tags:]