Within the past week or so we have seen a pair of malicious worms used that employ what appear to be stolen VeriSign Code Signing certificates. We became aware of both these attacks when they were reported in the press, and both of the certificates involved are revoked. Each certificate holder was fully cooperative and understanding about the need to revoke the certificates in question. We're looking at potential methods of predicting certificates that may be compromised and therefore used in subsequent attacks and then encouraging preemptive replacement by the holders of those certificates. Microsoft has issued an advisory on the Windows flaw and states it's working on a fix.

Here's a summary of the first discovered attack. Here's a summary...

VeriSign recently got back the results of some extremely interesting research. We commissioned a third party to compare the Netcraft SSL list to the Alexa 1 Million, which is Alexa's list of the one million most visited domains in the world. This research compared the number of domains using various brands of SSL and determined that GeoTrust is chosen by more of the world's million largest domains than any other SSL brand.

I recently wrote about the quick and dirty look that security blogger Nasko did at certificate market share while attempting to account for site popularity. It was a great...

One of the features we offer with VeriSign SSL Certificates is what we call Seal-in-Search. Simply explained, VeriSign has forged relationships with outside parties that in some way interact with consumers as they're finding the sites to visit or do business with. Each of these parties displays a version of the VeriSign seal in its interface next to its listings for the sites that are secured with VeriSign SSL Certificates and/or the VeriSign Trust Seal.

Today we have high profile relationships in two categories. The first is comparison shopping sites. VeriSign seals display alongside their sites in TheFind and PriceGrabber. TheFind even...

Today we saw some news stories about supposed vulnerabilities in VeriSign's enterprise SSL Certificate requesting process. These stories are based on a press release and outside press briefings from Comodo claiming to have found a "major security vulnerability" in VeriSign's SSL offering. These stories are incorrect. I have written this FAQ to clear up the misinformation that's floating around right now.

Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
A. No.

Q. What are the claimed vulnerabilities that Comodo announced?
A. Many large enterprises use a workflow whereby individuals within the organization can request SSL Certificates for the projects they're working on. Requests from these pages go to administrators, who then evaluate whether or not to issue the certificates. Comodo was able to...