Feeds

VeriSign SSL certs open to tampering, competitor warns

Bank of America attacks made easy

Choosing a cloud hosting partner with confidence

VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.

According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations' security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.

What's more, Abdulhayoglu pointed to the availability of this page provided by VeriSign partner Getronics.nl of the Netherlands. It allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages like the one captured below, which provide buttons for revoking, renewing, and replacing the digital certificate.

Screen capture of PinkRoccade.com management page

A management page for Bank of America, courtesy of PinkRoccade.com

When The Register looked at the pages from Getronics.nl on Wednesday evening, they continued to prompt users who wanted to revoke a certificate for a challenge phrase. By Thursday morning, users got an error message. The cause of the errors was not known.

Abdulhayoglu said members of his team alerted VeriSign to the easily accessible pages privately, and the latter company insisted they posed no risk to its customers. Comodo then went public with what it called a “serious security vulnerability.” VeriSign responded with its own posting laying out why managers there strongly believe Comodo's advisory is unfounded.

In the balance is the control of the digital certificates that banks, e-commerce sites and other online businesses use to encrypt credit card numbers in transit and prove to customers their servers are genuine. While by no means perfect, the SSL, or secure sockets layer, protocol is one of the most important and widely used systems for protecting end users conducting sensitive transactions online. The ability of outsiders to tamper with them could be devastating.

“There are no winners in this,” Abdulhayoglu told The Register in explaining why he blew the whistle. “Comodo loses, VeriSign loses, their customers lose. We gave them ample time, but if they kept denying it was a vulnerability we had no choice but to go public.”

Tim Callan, VeriSign's vice president of product marketing, has responded that Comodo's warning is based on a fundamental misunderstanding of the publicly exposed pages. He said they aren't administrative panels that give end users the ability to make sensitive changes to certificates. Rather they are “request pages” that employees inside an organization use to ask an authorized certificate administrator to make changes.

“I understand where an outsider might look at this and think that they're looking at something where they can really do powerful things to certificates, but at the end of the day, those powerful things are done by somebody else,” he said. “That control is only accessible by somebody who has a special what we call administrator certificate that is actually on the computer from which they're accessing it.”

It was unclear if Callan's explanation referred to pages on both domains, or only to those on verisign.com. In a later email, he described a page on pinkroccade.com as a "certificate management page." Attempts to get a clarification weren't successful.

The Register was unable to test whether the pages give unauthorized parties the ability to make changes, because it would almost certainly be a felony to do so. But Abdulhayoglu said he is confident they do, at least in certain cases. He acknowledged that the pages require people revoking pages to enter a “challenge response,” but he said those credentials are often contained in what are called CSRs or certificate signing requests that in many cases can easily be found online.

Marsh Ray, a software developer at two-factor authentication service PhoneFactor, was also unwilling to test whether Comodo's report is correct, but he said the advisory sounded plausible.

“This appears to be all that you need to revoke the cert, given that you already get to the customer's management page on the website,” he said.

Callan said CSRs have long included fields designated “Challenge” but that they are disregarded by VeriSign, and customers can leave them blank or input them with any text of their choosing. VeriSign has never instructed customers to put their revocation challenge phrase in their CSRs, the VeriSign VP added, although he wasn't aware of any guidance explicitly telling customers that the passwords should never be included there.

In the event a customer has included the password in one of their CSRs, VeriSign will replace the certificate for free, he added.

In the end, The Register was unable to verify Comodo's claims that the publicly accessible pages allow unauthorized parties to make changes to VeriSign customers' authentication certificates. But it seems a fair point that they needlessly expose information that would better be kept private.

VeriSign would probably argue that they serve a crucial function by streamlining the process of requesting and allocating large numbers of the electronic documents inside big organizations. But sometimes security should trump convenience, and this very well may be the case here. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.