You may have read in the last couple weeks where the top brass of SSL Certificate issuer Comodo says they’ve uncovered a serious security vulnerability in the SSL Cerificate process  of VeriSign SSL services. That’s a pretty big claim. VeriSign is the most recognized name in the SSL business and they own nearly all of the companies that used to be their competitors.  All except Comodo. Comodo has been soldiering on to compete with the far larger VeriSign by offering their products dirt-cheap. So, is this a case of sour-grapes by an also-ran competitor, or has the SSL giant slipped up in their security?

At we’re a Gold Partner of VeriSign, so you should know going in that we need to know what’s really going on, just like you do. If there’s a problem, we want to know what the solution is...right now. We’ve got customers on the line and their business, is OUR business. We are in no way inclined to tow any party line. If there’s a problem here, we’d rather tell you about it as soon as we can and apply pressure to VeriSign to resolve it. We think a general level of skepticism is healthy when dealing with large corporations, so we decided to take a closer look. Here’s what we found.

What did Comodo find?

Using publicly available information, Comodo found that a VeriSign customer account of a major financial institution can be easily accessed without authentication. Comodo believes that the vulnerability is not limited to this single account.

Communicating through an independent third party, Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability.

According to Melih Abdulhayoglu, chief executive officer and founder of Comodo, “When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem. With millions of customer’s financial transactions at stake, we wasted no time to help correct the problem even though it wasn’t ours to begin with.

VeriSign’s response: “We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways. The pages you have accessed are merely public portals for our customers authenticated work to be performed.

Some sources claim that the CEO personally demonstrated the vulnerability with other examples.

Is it really a threat?

Many large enterprises use a workflow whereby individuals within the organization can request SSL Certificates for the projects they’re working on. Requests from these pages go to administrators, who then evaluate whether or not to issue the certificates. Comodo was able to locate and gain access to a certificate request page from a large financial institution.

These pages are publicly accessible, because that’s the way they were designed to be. It was not a vulnerability that was missed. Access to these pages does not constitute a security flaw. There is no private information available from these pages, and certificate requests go through evaluation by the enterprise’s designated certificate administrators before any certificate is issued.

Comodo’s claim that it detected a “major security vulnerability” that affects “its customers’ Web sites, including a major financial institution” isn’t accurate and is quite a bit of hyperbole for very little substance.

How does this affect VeriSign’s customers?

Actually…it doesn’t affect them at all.

In response to questions regarding this issue;  Tim Callan of VeriSign had this to say : “VeriSign does not believe Comodo discovered or announced any serious vulnerability for our customers or users of our customers’ web sites. Sensitive information and actions that carry meaningful consequences to the enterprise are all protected by a separate administrator control center which is not accessible without a special administrative certificate and not the subscriber web page Comodo found. We deliberately designed our workflow to meet the needs of all members of the enterprise without compromising security, and in this instance that design is doing its job.

Comodo would appear to have taken the high road (at least initially) in following the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a go-between to let VeriSign know about the potential vulnerability. However, just a week later, they broke with that same standard by distributing a press release talking about the vulnerability and although they didn’t release the hack publicly, they would seem to be enjoying the notoriety and publicity that has come with it.

A host of security experts have weighed in on this from all over the security community and the general conclusion is that Comodo jumped the gun to try to get some publicity out of something that is really a non-event. Internet security types are generally no-nonsense types of folks that bristle at the splashy headlines that worry their CEOs. The negative  feelings generated by this kind of thing, in the very people they need to win-over, will not benefit Comodo in the long term.


Comments are closed on this post.

Scroll to Top