Hacker News new | past | comments | ask | show | jobs | submit login
Verisign/RapidSSL Responds To Certificate Vulnerability (verisign.com)
27 points by tptacek on Dec 30, 2008 | hide | past | favorite | 8 comments



"We applaud security research of this sort and are glad that white hats like the "MD5 Collision Inc." group make a point of investigating online security. This group went to great lengths to keep its findings private, and unfortunately that included ensuring that VeriSign did not receive any of this information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning. So I'll caution you that these responses are preliminary, and if it turns out that any of the information we've received is inaccurate, my responses may change."

I really like this, especially the last sentence. That's refreshingly direct communication.


"Q: How many certificates are affected?

A: Zero. No end entity certificates are affected by this attack. The attack, when it worked, was a potential method for a criminal to create a new, false certificate from scratch. Existing certificates are not targets for this attack."

This answer seems a little bit, well, disingenuous. Does he not understand the attack or does he not understand SSL?


I believe the answer for that question was actually pulled from the MD5 paper itself. See here:

http://www.win.tue.nl/hashclash/rogue-ca/

Scroll to the bottom in the question/answer section. It's interesting they only used 200 PS3 game consoles to do their computations with.


In the paper itself, they reach the opposite conclusion:

"Question. Suppose that a criminal creates by our method his own rogue Certification Authority that is trusted by all browsers. Are then only websites with certificates from the CA whose signature he used vulnerable to impersonation attacks? Are only websites with certificates based on MD5 vulnerable to impersonation attacks?

Answer. No. When a criminal uses redirection attacks in combination with a rogue but trusted CA certificate, all websites are equally vulnerable."


(Thanks to gojomo for finding this).

Gotta admit, a solid response.


Yes, they're taking a page out of Microsoft's playbook by using a blog post to respond in more detail to a security vulnerability. When executed well, it mollifies critics much better than the press release style of communication due to its appearance of informality.

That being said, I would have liked for them to say that they've reviewed their logs and saw no other issuance activity that followed the same pattern as the researchers, and that they will improve their operational monitoring and serial number sequencing to help protect against future potential attacks.


They basically sucked all the drama right out of it, which seems like exactly the right play.


Gotta admit that's pretty much what "a product marketing executive for VeriSign's SSL business unit" should say in a damage control mode.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: