Verisign vs. Comodo

Posted by in Analysis on Jun 25, 2010

So, Comodo (not the dragon, but still a cool name anyway) recently dusted it up over the certificate signing request page at Verisign and whether or not it should be public.

Comodo started by kicking the dirt at Verisign:

When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem… With millions of customer’s financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.

And then Verisign responded that it’s a non-issue:

“I understand where an outsider might look at this and think that they’re looking at something where they can really do powerful things to certificates, but at the end of the day, those powerful things are done by somebody else,” he said. “That control is only accessible by somebody who has a special what we call administrator certificate that is actually on the computer from which they’re accessing it.”

Yawn.  Oh sorry, I dozed off a little bit at the end there.  Anyway, in my opinion, they’re both wrong.

It’s not a big-deal security-wise, Verisign is right about that.  I’ve used their infrastructure enough to know that you have to have the admin cert to actually do anything with that page (like gen a CSR).  So nobody’s going to be issuing any certs off of that page.  So Comodo’s claim that it was an ethical imperative to disclose it? I’m not sure I agree.

That being said, neither it is a good practice on Verisign’s part to disclose who their customers are to the world at large. Disclosing *any* information (even that a particular firm is a customer) without their permission seems like a bad practice in my opinion.  Shouldn’t someone have to opt-in to that?  According to Verisign’s privacy statement:

You should be assured that we do not provide or sell personal information about our customers or site visitors to vendors that are not involved in the provision of VeriSign’s public certification and other services.

Well, for this purpose they apparently do.

So net-net, not a security issue but not good form by the big V either.  So now the whole industry is going to get spun up and chase its tail about this thing.  Verisign has some egg on their face… maybe.  Comodo gets seen as petty for reporting it publicly… maybe.   And we all collectively… lose.  In future, maybe some better communication between the coopitition can save everyone the hassle and save themselves the marketing fallout this is sure to have.

Search
  • Joseph A’Deo

    Thanks for giving this issue a fair look. I work for VeriSign’s EV SSL and trust seal departments and I’m seeing mostly confusion out there about whether or not this is a hazard. Your ending notes aren’t necessarily glowing towards VeriSign, but the honest, informed opinion is appreciated.

    In any case, you’ve probably already seen it but there’s a much more coherent official review of Comodo’s allegations here:

    https://blogs.verisign.com/ssl-blog/2010/06/incorrect_reports_of_verisign.php

  • http://www.securitycurve.com Ed

    Joseph,

    Thanks for the update. I hadn’t seen this but I appreciate both the feedback and the link.

    -E

TwitterRssFacebook