back to article VeriSign SSL certs open to tampering, competitor warns

VeriSign and one of its partners have come under fire for publicly exposing webpages used to process customer security certificates, a practice a competitor claims puts some of the biggest names on the web at risk of serious targeted attacks. According to Melih Abdulhayoglu, CEO of internet security firm Comodo, publicly …


This topic is closed for new posts.
  1. Anonymous Coward

    relying party agreement

    You cannot use wildcard characters. By clicking SEARCH, you accept the terms of our Relying Party Agreement.

    Clicking on the above generates a 404 error. So there's no agreement to agree to...???

  2. Anonymous Coward

    Let me get this straight...

    So they're saying that the information disclosed is sensitive, but most of it is included in the final certificate anyway and is thus public accessible through the secured web site anyway.

    They're also saying that if you've put your password (sorry, 'challenge response') online somewhere, then people can pretend to be you to make changes.

    Let me guess, next they'll tell us that the pope shits in the woods, or that bears are catholic?

  3. Ken Hagan Gold badge

    You're being too paranoid

    "But it seems a fair point that they needlessly expose information that would better be kept private."

    Like what? You can bet that the number of people who know these email addresses within the various organisations is already fairly large, and that there are other ways of finding the information. Verisign's attitude merely emphasises that this is not security-critical information. In fact, it's rather reassuring to see that they don't believe in security by obscurity.

  4. Dave Murray

    A felony?

    Did you leave your brain at home today Dan? Buy your own Verisign cert then test this potential vulnerability on it.

  5. This post has been deleted by a moderator

    1. Anonymous Coward

      It's not that simple

      On these particular pages, submitting a CSR probably won't do you much good anyway. This is Verisign's "Managed PKI": requests submitted in this manner need to be approved by the organisation's certificate administrator, and even that worthy fellow is required to have a Verisign-supplied SSL client certificate in his browser to get access to the approvals web form. If said individual is snowed under and/or doesn't keep a good track of requests, you might get somewhere. Personally, I doubt it.

      I'm not sure what'd happen if you tried to revoke an existing certificate, however. Have not done that yet.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022