VeriSign SSL certs open to tampering, competitor warns
VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks. According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly …
You cannot use wildcard characters. By clicking SEARCH, you accept the terms of our Relying Party Agreement.
Clicking on the above generates a 404 error. So there's no agreement to agree to...???
So they're saying that the information disclosed is sensitive, but most of it is included in the final certificate anyway and is thus public accessible through the secured web site anyway.
They're also saying that if you've put your password (sorry, 'challenge response') online somewhere, then people can pretend to be you to make changes.
Let me guess, next they'll tell us that the pope shits in the woods, or that bears are catholic?
"But it seems a fair point that they needlessly expose information that would better be kept private."
Like what? You can bet that the number of people who know these email addresses within the various organisations is already fairly large, and that there are other ways of finding the information. Verisign's attitude merely emphasises that this is not security-critical information. In fact, it's rather reassuring to see that they don't believe in security by obscurity.
Did you leave your brain at home today Dan? Buy your own Verisign cert then test this potential vulnerability on it.
On these particular pages, submitting a CSR probably won't do you much good anyway. This is Verisign's "Managed PKI": requests submitted in this manner need to be approved by the organisation's certificate administrator, and even that worthy fellow is required to have a Verisign-supplied SSL client certificate in his browser to get access to the approvals web form. If said individual is snowed under and/or doesn't keep a good track of requests, you might get somewhere. Personally, I doubt it.
I'm not sure what'd happen if you tried to revoke an existing certificate, however. Have not done that yet.
Sign up, sign up for The Register's weekly IT security newsletter - click here
