This is so sad.
The way Verisign dealt with this so irresponsibly is so very sad.
I do wish they had simply acknolwedged the vulnerability to us in private, we would have been more than happy to work with them on this.
There are simply no winners when things get this messy. Everyone is a loser, Verisign, Comodo and Verisign’ customers. Shame…very irresponsible way of dealing with the issue…
And on the background I heard that Verisign has already changed their Server configuration to stop Google from Indexing it…yet they deny there was anything wrong…If there was nothing wrong, as they claimed, why are they changing server configuration now?
That’s like me being able to find a way to hack into Citibank, then reports it to verisign. They play down the situation (like it’s not a big deal), but I’m willing to bet that Citibank thinks it’s a big deal
If Verisign DENIES and/or DOESN’T fix it for Major financial institutions, can you imagine how verisign handles there small businesses or home users accounts!!!
Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
That's because comodo didn't release it to the public(In the wild), they used a third-party to tell Verisign the problem.
Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
That's because comodo reported it before some hacker figured it.
We now have no choice but to reveal this info we provided to Verisign. Afterall they don’t think its a vulnerability. So I guess its ok for us to reveal it.
PLEASE NOTE: THIS POST IS WRITTEN ONLY AND ONLY AFTER VERISIGN PUBLICLY DECLARED THEY HAVE NO VULNERABILITY AND WHAT COMODO REPORTED IS NOT A VULNERABILITY ACCORDING TO VERISIGN, HENCE WHATEVER IS CONTAINED HEREWITH CANNOT BE CONSIDERED DAMAGING TO VERISIGN OR ITS CUSTOMERS BY VERISIGN’S ADMISSION.
Verisign put themselves in a very difficult position by denying this is a vulnerability. Let me explain why.
If they don’t fix the issue, then they will continue to run an infrastructure that has its weakest link as this password/passphrase. (And I can’t believe that banks who fall under FDIC guidelines could possibly operate their operations with this kind of infrastructure, while they are required to have 2 factor authentication for their own customers)
If they fix the issue, then they will look pretty stupid for denying it in the first place!
Verisign, the choice is yours
The attached document is what was provided to Verisign last week. And they were told about our timescales (we told them we would do it on Monday via email).
PS: Tim Callan wrongly interprets guidelines. If Verisign accepted there was a vulnerability, then Comodo would work with Verisign in making sure it was addressed, without going public. Because Verisign denied that it was vulnerability, that left Comodo with no alternative but to go public. Disclosure guidelines relate to Vulnerabilities that both parties acknowledge, It is very difficult to fix a vulnerability if the vendor does not admit it is a vulnerability. As far as Verisign is concerned it was not a vulnerability, hence his point about disclosure guidelines is simply wrong!
I think it is good that issues like this are pointed out within the security community, and would also hope every member works as a whole to strengthen it (security), not put one down in favour of themselves, as they are all working towards the same goal.