Incorrect reports of VeriSign vulnerability
Today we saw some news stories about supposed vulnerabilities in VeriSign's enterprise SSL Certificate requesting process. These stories are based on a press release and outside press briefings from Comodo claiming to have found a "major security vulnerability" in VeriSign's SSL offering. These stories are incorrect. I have written this FAQ to clear up the misinformation that's floating around right now.
Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
Q. What are the claimed vulnerabilities that Comodo announced?
A. Many large enterprises use a workflow whereby individuals within the organization can request SSL Certificates for the projects they're working on. Requests from these pages go to administrators, who then evaluate whether or not to issue the certificates. Comodo was able to locate and gain access to a certificate request page from a large financial institution.
By their nature these pages are publicly accessible, and access to these pages does not constitute a security flaw. There is no private information available from these pages, and certificate requests go through evaluation by the enterprise's designated certificate administration body before any certificate is issued. Comodo's claim that it detected a "major security vulnerability" that affects "its customers' Web sites, including a major financial institution" is categorically false.
Q: What is the effect on VeriSign's customers' web sites?
A: There is no effect on VeriSign's customers' web sites. Customers are not required to take any action and are at no risk.
Q. What is the severity of these alleged vulnerabilities?
A. VeriSign does not believe Comodo discovered or announced any serious vulnerability for our customers or users of our customers' web sites. Sensitive information and actions that carry meaningful consequences to the enterprise are all protected by a separate administrator control center which is not accessible without a special administrative certificate and not the subscriber web page Comodo found. We deliberately designed our workflow to meet the needs of all members of the enterprise without compromising security, and in this instance that design is doing its job.
Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
Q. Will VeriSign be making any changes to its products based on this announcement?
A. We currently have monitoring in place to detect possible brute force attacks against the subscriber web page. Based on the increased attention this release is likely to cause, we're implementing additional safeguards to redundantly ensure that these pages are not susceptible to exploit.
Q. Comodo's release stated that it followed the CCSS ethical security disclosure standards. Is that correct?
A. No. Section 7.2.iii and 9.1.i of these guidelines clearly state that the discloser and the security vendor will mutually negotiate the strategy and timeline for both disclosure and mitigation of the vulnerability. Comodo did not make VeriSign aware of the planned timing of this morning's press release or the content of that release. If Comodo had briefed us on the content of this release in advance, we could have corrected the egregious errors the release contained.
Had the content of this release constituted an actual major security flaw (which it did not), one week's notice may not have been enough time to fix any flaw, and Comodo did not consult with VeriSign to determine a safe disclosure schedule. With 93% of the Fortune 500 and 97 of the world's 100 largest SSL-using banks choosing SSL Certificates from VeriSign, it's fortunate that Comodo was incorrect in its assessment of security risks.
Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.
Q. Does VeriSign actively search competitive SSL products for security vulnerabilities?