VeriSign SSL Hackable - Comodo Exposes, VeriSign Denies

schmoilito · June 23, 2010, 10:42pm

Melih,

!ot!

This is another trust issue of sorts, but does Comodo advocate the use of pirated software? There is some interesting meta data in the PDF you posted detailing the issue Comodo disclosed to VeriSign.

  <rdf:Description rdf:about=""
        xmlns:pdfx="http://ns.adobe.com/pdfx/1.3/">
     <pdfx:SourceModified>D:20100614211946</pdfx:SourceModified>
     <pdfx:Company>Grizli777</pdfx:Company>
     <pdfx:Comments/>
  </rdf:Description>

???

Regards,
Mike

nullbyte:Downloads mikezusman$ ls -l VeriSign\ Managed\ PKI\ Information\ Disclosure\ Vulnerability.pdf
-rw-r–r–@ 1 mikezusman staff 283995 Jun 23 17:23 VeriSign Managed PKI Information Disclosure Vulnerability.pdf
nullbyte:Downloads mikezusman$ openssl dgst -sha1 VeriSign\ Managed\ PKI\ Information\ Disclosure\ Vulnerability.pdf
SHA1(VeriSign Managed PKI Information Disclosure Vulnerability.pdf)= 4e2589fa31579856b5d7bc8beff0d8d0eb9187e1
nullbyte:Downloads mikezusman$ strings VeriSign\ Managed\ PKI\ Information\ Disclosure\ Vulnerability.pdf | grep Griz
pdfx:CompanyGrizli777</pdfx:Company>

PS - couldn’t this all have been dealt with behind closed doors via the CABForum?

Melih · June 24, 2010, 1:10am

we did try for a week to get Verisign to fix the issues. But they never admitted there was an issue in the first place.

There are no winners here…everyone loses…Verisign, Comodo…everyone…its such a shame and it could have been avoided with responsible behaviour from Verisign.

Melih

Tech · June 24, 2010, 1:15am

I hate when a company does not acknowledge the problems…

Melih · June 24, 2010, 1:18am

If they acknowledged it, then we would have no reason to go public

going public with issues like that makes everyone look bad…its a lose lose for everyone…

Melih

Tech · June 24, 2010, 1:22am

I was not saying that they have to make it public. Just that if there is a problem it must be acknowledged among the parts involved on it. If the problem is public, a public acknowledgment, if not, you can correct it silently. Honesty with the users ever.

Melih · June 24, 2010, 2:48am

Verisign has now removed the “revoke” button from this publicly accessible website!

https://certmanager.verisign.com/mcelp/enroll/index?application_locale=en_US&jur_hash=ab3ded030d84c0c32620acd1408e4f99

Now, if there was no security vulnerability why did they remove it?

Anyway, I am glad they are now fixing their vulnerabilities…although they kept insisting it was not a vulnerability in the first place…

Maybe they thought they can remove the “revoke” button without anyone noticing…

Now, how silly do they look for denying it first, then doing what we told them in the first place! Totally unnecessary, irresponsible, damaging behaviour from Verisign

Melih

panic · June 24, 2010, 7:40am

Even better - they’re fixing their invulnerability!!

patrice58 · June 24, 2010, 10:05am

You might as well go public on the fact that the button has been removed. No I am not been nasty or bicthy but if your gonna do something like that then go the full way don’t do things by half. Chase them up over it.

panic · June 24, 2010, 10:43am

The view’s always better from the higher ground, Melih.

patrice58 · June 24, 2010, 11:38am

Pride always leads to a fall. That is not me talking about this issue but simply stating a fact.

Tech · June 24, 2010, 12:08pm

Totally agree.
Shame on Verisign.