CoMoDo informs VeriSign about a serious security hole in SSL certificates issued by VeriSign
There are only a few major SSL certificate providers in the world, and two of them are VeriSign and CoMoDo . Moreover, VeriSign certificates are much more expensive and are positioned, primarily, for the top market segment: banks, large portals, government agencies.
CoMoDo is simpler, operates through a wide network of resellers and during the period of price wars reduced the cost of their certificates (albeit produced under a different brand) to $ 7 per year.
However, it can be said that these two companies in the SSL market are Coca-Cola and Pepsi-Cola.
And so, CoMoDo issues a bulletin informing about the presence of a major vulnerability found by them while studying the process of issuing VeriSign SSL certificates.
The essence of the vulnerability is not disclosed, but it is argued that CoMoDo informed VeriSign of a flaw recently, and a second document was sent on June 23, and CoMoDo received a response from VeriSign about the measures taken, but these measures are disappointing.
CoMoDo, at a minimum, expects VeriSign to inform all its customers about the presence of a vulnerability so that customers can assess the risks and take the necessary actions.
What has been done so far by VeriSign (visible manifestations):
- the “withdraw certificate” button is no longer available on the public site, since June 24.
- Google no longer gives access to information through domain names, since yesterday.
- Information about administrators, such as e-mail address, is not available on the public site since yesterday.
Several other actions remain unfulfilled, such as accessing publicly accessible lists of qualified domain names.
The nature of the vulnerability is not very clear from this message. Most likely, the competitor found a way to illegally revoke the SSL certificate, and possibly replace it with a new one.
CoMoDo is simpler, operates through a wide network of resellers and during the period of price wars reduced the cost of their certificates (albeit produced under a different brand) to $ 7 per year.
However, it can be said that these two companies in the SSL market are Coca-Cola and Pepsi-Cola.
And so, CoMoDo issues a bulletin informing about the presence of a major vulnerability found by them while studying the process of issuing VeriSign SSL certificates.
The essence of the vulnerability is not disclosed, but it is argued that CoMoDo informed VeriSign of a flaw recently, and a second document was sent on June 23, and CoMoDo received a response from VeriSign about the measures taken, but these measures are disappointing.
CoMoDo, at a minimum, expects VeriSign to inform all its customers about the presence of a vulnerability so that customers can assess the risks and take the necessary actions.
What has been done so far by VeriSign (visible manifestations):
- the “withdraw certificate” button is no longer available on the public site, since June 24.
- Google no longer gives access to information through domain names, since yesterday.
- Information about administrators, such as e-mail address, is not available on the public site since yesterday.
Several other actions remain unfulfilled, such as accessing publicly accessible lists of qualified domain names.
The nature of the vulnerability is not very clear from this message. Most likely, the competitor found a way to illegally revoke the SSL certificate, and possibly replace it with a new one.
')
Source: https://habr.com/ru/post/97874/
All Articles