Comodo announced today that it requested an independent third-party to notify VeriSign of a security vulnerability affecting its customers’ web sites, including a major financial institution. VeriSign received notification by the independent third-party last Tuesday.
While Comodo is not in a position to fully evaluate the scope of the vulnerability, Comodo believes it is a significant security concern for VeriSign’s customers (and users of their customer’s web sites) that rely on secure SSL Digital Certificates to transmit business and personal data.
Using publicly available information, Comodo found that a VeriSign customer account of a major financial institution can be easily accessed without authentication. Comodo believes that the vulnerability is not limited to this single account.
Communicating through the independent third party, Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability.
“When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” explained Melih Abdulhayoglu, chief executive officer and founder of Comodo. “With millions of customer's financial transactions at stake, we wasted no time to help correct the problem even though it wasn't ours to begin with.”
VeriSign responded, "We thank you for bringing this to our attention, but the information you have accessed is public information that can be found in a multitude of ways. The pages you have accessed are merely public portals for our customers authenticated work to be performed."
Comodo CEO Melih Abdulhayoglu demonstrated the vulnerability to me in confidence. By not notifying its customers, VeriSign seems to be selling people security while not totally secure itself. It would seem as if their customers should be notified to decide on a case by case basis if they are ok with the issue or if they want it fixed.
The independent third party who notified VeriSign on behalf of Comodo does not wish for his identity to be revealed at this time. Comodo followed the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a medium for disclosure. It provided a disclosure document to VeriSign outlining the vulnerability.
But let's also point out that today, press releases by Comodo went out to the media and were posted on the Web ... a mere one week after notifying Verisign of the hole. To its credit, it didn't completely "pull a Google" and publish the hack on the Web. But how long will it take before the black hats figure it out anyway?
It should be noted that Comodo is Verisign's competitor and also sells security, antivirus, firewall, and SSL digital certificates.
On May 19th, Symantec Corp. purchased VeriSign authentication-services unit for $1.28 billion in cash. VeriSign's revenue from authentication-related services was of $410 million for 2009 fiscal year. 85% of it was generated from their SSL business alone. 900 of VeriSign's employees joined Symantec's Enterprise Security Group.