VeriSign SSL certs open to tampering, competitor warns

Bank of America attacks made easy

Using blade systems to cut costs and sharpen efficiencies

VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks.

According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly accessible pages such as those here and here needlessly disclose sensitive internal information about VeriSign customers Bank of America and the Commonwealth of Massachusetts respectively. By exposing the email address of the organizations' security certificate managers and providing a comprehensive list of web addresses that use secure sockets layer protection, VeriSign puts them at risk of targeted phishing attacks, he said.

What's more, Abdulhayoglu pointed to the availability of this page provided by VeriSign partner Getronics.nl of the Netherlands. It allows anyone in the world to search its database and pull up a wealth of information about the digital certificates of not only Bank of America but plenty of other companies, including VeriSign itself. The interface also points to dynamically generated pages like the one captured below, which provide buttons for revoking, renewing, and replacing the digital certificate.

Screen capture of PinkRoccade.com management page

A management page for Bank of America, courtesy of PinkRoccade.com

When The Register looked at the pages from Getronics.nl on Wednesday evening, they continued to prompt users who wanted to revoke a certificate for a challenge phrase. By Thursday morning, users got an error message. The cause of the errors was not known.

Abdulhayoglu said members of his team alerted VeriSign to the easily accessible pages privately, and the latter company insisted they posed no risk to its customers. Comodo then went public with what it called a “serious security vulnerability.” VeriSign responded with its own posting laying out why managers there strongly believe Comodo's advisory is unfounded.

In the balance is the control of the digital certificates that banks, e-commerce sites and other online businesses use to encrypt credit card numbers in transit and prove to customers their servers are genuine. While by no means perfect, the SSL, or secure sockets layer, protocol is one of the most important and widely used systems for protecting end users conducting sensitive transactions online. The ability of outsiders to tamper with them could be devastating.

“There are no winners in this,” Abdulhayoglu told The Register in explaining why he blew the whistle. “Comodo loses, VeriSign loses, their customers lose. We gave them ample time, but if they kept denying it was a vulnerability we had no choice but to go public.”

Tim Callan, VeriSign's vice president of product marketing, has responded that Comodo's warning is based on a fundamental misunderstanding of the publicly exposed pages. He said they aren't administrative panels that give end users the ability to make sensitive changes to certificates. Rather they are “request pages” that employees inside an organization use to ask an authorized certificate administrator to make changes.

“I understand where an outsider might look at this and think that they're looking at something where they can really do powerful things to certificates, but at the end of the day, those powerful things are done by somebody else,” he said. “That control is only accessible by somebody who has a special what we call administrator certificate that is actually on the computer from which they're accessing it.”

It was unclear if Callan's explanation referred to pages on both domains, or only to those on verisign.com. In a later email, he described a page on pinkroccade.com as a "certificate management page." Attempts to get a clarification weren't successful.

The Register was unable to test whether the pages give unauthorized parties the ability to make changes, because it would almost certainly be a felony to do so. But Abdulhayoglu said he is confident they do, at least in certain cases. He acknowledged that the pages require people revoking pages to enter a “challenge response,” but he said those credentials are often contained in what are called CSRs or certificate signing requests that in many cases can easily be found online.

Marsh Ray, a software developer at two-factor authentication service PhoneFactor, was also unwilling to test whether Comodo's report is correct, but he said the advisory sounded plausible.

“This appears to be all that you need to revoke the cert, given that you already get to the customer's management page on the website,” he said.

Callan said CSRs have long included fields designated “Challenge” but that they are disregarded by VeriSign, and customers can leave them blank or input them with any text of their choosing. VeriSign has never instructed customers to put their revocation challenge phrase in their CSRs, the VeriSign VP added, although he wasn't aware of any guidance explicitly telling customers that the passwords should never be included there.

In the event a customer has included the password in one of their CSRs, VeriSign will replace the certificate for free, he added.

In the end, The Register was unable to verify Comodo's claims that the publicly accessible pages allow unauthorized parties to make changes to VeriSign customers' authentication certificates. But it seems a fair point that they needlessly expose information that would better be kept private.

VeriSign would probably argue that they serve a crucial function by streamlining the process of requesting and allocating large numbers of the electronic documents inside big organizations. But sometimes security should trump convenience, and this very well may be the case here. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.