Video Screencast Help
Website Security Solutions

Update from Alexander Sotirov

Created: 06 Jan 2009 • Updated: 18 Dec 2012 • 4 comments
Tim Callan's picture
0 0 Votes
Login to vote

Thank you to Alexander Sotirov for a detailed account of his research team's communications with Microsoft and the subsequent e-mails on the topic. Alexander's account is available at this link for reading, and for the sake of this post I'll try to paraphrase as fairly as possible. After explaining the researchers' motivations and the steps Alexander et. al. took to ensure that their attack was not usable by an outside malicious party, this missive goes on to detail the timeline and content of messages with Microsoft on the topic of sharing this information with the CA in question, which happened to be VeriSign.

Based on the content of this message it appears that we lost some of the information internally. I expect that owes itself to the small number of individuals involved and their vacation schedules. It still doesn't appear to me that we knew when and where this announcement would take place (certainly I did not), and when the likes of Wired and The Washington Post began calling me for comment on December 29 I was not aware of the announcement that was coming nor the details of the attack.

Based on this new post it appears that Alexander Sotirov and his companions did indeed ask an intermediary, Microsoft, to contact VeriSign.

The timing of that contact diminished its ability to help us considerably. I don't know anybody at VeriSign who had information about when and where this presentation would take place. I learned that on my own from H.D. Moore's blog post on the topic shortly beforehand.

As stated elsewhere, MD5 was slated for discontinuation anyway, which made it expedient to push the update live more quickly. If the larger organization had been cognizant of this issue (for example if the information had come to us during something resembling a normal work week), I expect the fix would have been live before the presentation happened. As it was, we were engaged in last-minute detective work to try to understand what would be announced and when. The sense of frustration I expressed to Wired and others was quite real, as at that time we had a reported security vulnerability and no clear, available information on what it was. We're never going to be happy about such a situation.

So what should have been different? Well, first of all, our channels did appear to break down internally, probably because of the holiday schedule. VeriSign has normal escalation paths for critical issues that run 24 x 365, but this information didn't come in through them. So yes, the information may have been in the hands of someone who worked for VeriSign, but it didn't get to the places it needed to get to for rapid resolution. It would have been a lot better if we'd been informed on almost any other day of the year. I don't know if there was a specific reason why this communication had to come on Christmas Eve, but in the future I'll encourage others to consider the calendar when making this kind of outreach.

The big takeaway for me from this incident is that we need an environment where researchers and security vendors can trust each other. Alexander has explained why his team did not feel they could place that trust in VeriSign. I have explained why I feel they could have. We at VeriSign would like to see an environment where researchers need not mistrust security vendors and vice versa. We're committed to doing our part to bring back that environment, and we encourage security researchers in the future to reach out directly to us. We promise to treat you fairly and respectfully.

In summary, thank you for this additional information, Alexander. As I stated earlier, I want to give credit where it is due. I apologize if anything I wrote gave you offense. Everything I wrote was aimed at sincerely representing the facts as I understood them at the time.

Comments 4 CommentsJump to latest comment

Kris C's picture

"Alexander has explained why his team did not feel they could place that trust in VeriSign. I have explained why I feel they could have."

Where did you explain how they could have trusted VeriSign? I'd love to read that guarantee.

+1
Login to vote
CW's picture

Tim Callan: how refreshing that you took responsibility for the issue. That, in my mind, is the hallmark of a mature individual and we need more like him in this society where people are quick to point the finger at others and cover themselves at all costs. It's also wise to realize that security researchers are not the enemy and reaching out to them will help make your offering better. There may be some pain along the way, but the pain is sure to be less than criminal use of the information.

+3
Login to vote
wayne dawson's picture

Hi Tim. I'm wondering why there's been no revoking of all non-sha1 (or better all non-sha-2) signed CAs? Many sites (like my bank) I've looked at have a chain that leads the VeriSign Class 3 Public Primary CA, which has been signed with MD2 (PKCS #1 MD2 With RSA Encryption) -- of all things. MD2 was demonstrated to have collisions well before MD5 was. I realize the demonstrated attack was MD5 specific, but I'm pretty sure that VeriSign would want to be proactive here. This is a matter of Trust, and the irony of not being able to trust a CA should be apparent.

-1
Login to vote
Allen Kelly's picture

Kris,

If you go back and read my posts on this subject you'll see my explanation on why the security researchers could have put their trust in VeriSign.

-tlc

+3
Login to vote