This is so sad.
The way Verisign dealt with this so irresponsibly is so very sad.
I do wish they had simply acknolwedged the vulnerability to us in private, we would have been more than happy to work with them on this.
There are simply no winners when things get this messy. Everyone is a loser, Verisign, Comodo and Verisign’ customers. Shame…very irresponsible way of dealing with the issue…
And on the background I heard that Verisign has already changed their Server configuration to stop Google from Indexing it…yet they deny there was anything wrong…If there was nothing wrong, as they claimed, why are they changing server configuration now?
VeriSign responded, "We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways
Yeah, but that public information is a VeriSign customer account of a major financial institution can be easily accessed without authentication
It sounds like Verisign is trying to play down the problem
(Example)
That’s like me being able to find a way to hack into Citibank, then reports it to verisign. They play down the situation (like it’s not a big deal), but I’m willing to bet that Citibank thinks it’s a big deal
If Verisign DENIES and/or DOESN’T fix it for Major financial institutions, can you imagine how verisign handles there small businesses or home users accounts!!!
Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
A. No.
That's because comodo didn't release it to the public(In the wild), they used a third-party to tell Verisign the problem.
Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
A. No.
That's because comodo reported it before some hacker figured it.
I think I see the point. Is it that Comodo was able to (remotely) access information that was supposed to only be publicly accessible from within the specific corporation?
From the article I linked to and Melih’s article this appears to be the situation. Is this accurate?
We now have no choice but to reveal this info we provided to Verisign. Afterall they don’t think its a vulnerability. So I guess its ok for us to reveal it.
PLEASE NOTE: THIS POST IS WRITTEN ONLY AND ONLY AFTER VERISIGN PUBLICLY DECLARED THEY HAVE NO VULNERABILITY AND WHAT COMODO REPORTED IS NOT A VULNERABILITY ACCORDING TO VERISIGN, HENCE WHATEVER IS CONTAINED HEREWITH CANNOT BE CONSIDERED DAMAGING TO VERISIGN OR ITS CUSTOMERS BY VERISIGN’S ADMISSION.
Verisign put themselves in a very difficult position by denying this is a vulnerability. Let me explain why.
If they don’t fix the issue, then they will continue to run an infrastructure that has its weakest link as this password/passphrase. (And I can’t believe that banks who fall under FDIC guidelines could possibly operate their operations with this kind of infrastructure, while they are required to have 2 factor authentication for their own customers)
If they fix the issue, then they will look pretty stupid for denying it in the first place!
Verisign, the choice is yours
The attached document is what was provided to Verisign last week. And they were told about our timescales (we told them we would do it on Monday via email).
PS: Tim Callan wrongly interprets guidelines. If Verisign accepted there was a vulnerability, then Comodo would work with Verisign in making sure it was addressed, without going public. Because Verisign denied that it was vulnerability, that left Comodo with no alternative but to go public. Disclosure guidelines relate to Vulnerabilities that both parties acknowledge, It is very difficult to fix a vulnerability if the vendor does not admit it is a vulnerability. As far as Verisign is concerned it was not a vulnerability, hence his point about disclosure guidelines is simply wrong!
Verisign thinks its ok to have a “Revocation” button publicly available for large banks’, so that anyone who can guess the password/passphrase can revoke it from anywhere in the world!!!
Verisign also thinks its ok to publish domains associated with a Bank so that phishers have easy time to figure out which domains they should use next in their phishing attacks.
Verisign also thinks its ok to publish the email addresses of the admin so that social engineering attacks can be mounted!!!
Did Verisign tell its customers that their information is available on Google?
I would like to see Verisign answering these questions, rather then burying their head in the sand and thinking everything is hunky dory!
I think it is good that issues like this are pointed out within the security community, and would also hope every member works as a whole to strengthen it (security), not put one down in favour of themselves, as they are all working towards the same goal.
Verisign thinks its ok to have a "Revocation" button publicly available for large banks', so that anyone who can guess the password/passphrase can revoke it from anywhere in the world!!!
Verisign also thinks its ok to publish domains associated with a Bank so that phishers have easy time to figure out which domains they should use next in their phishing attacks.
Verisign also thinks its ok to publish the email addresses of the admin so that social engineering attacks can be mounted!!!
Did Verisign tell its customers that their information is available on Google?
Of Course not, Only if the customers confront them on it. Even then, they’ll do what most politicians do. They answer around the question and down play it
If this is how they normally act for big giant corporations, I wonder how it would have responded, if it just effects small businesses or mom & pop operations.
