Personal tools
You are here: Home Verisign intrusion
Who is Tracy Reed?

I am a Linux enthusiast, a multi-engine instrument-rated pilot, and a traveller. I am interested in all aspects of computing and technology in general, especially Linux and Free Software. As an avid pilot I can be found somewhere over the skies of the southwestern US most weekends.  As a traveller I have been to many interesting places. Check out my photo gallery. Want to get me something cool? Check out my wish list!



Verisign intrusion

by Tracy R Reed — last modified Feb 02, 2012 02:24 PM
Filed Under:

What does it mean for CAs and our business?

Verisign has had some sort of intrusion, apparently: Key Internet operator VeriSign hit by hackers

Note that the Verisign CA business was sold to Symantec a couple of years ago (about when the attack happened) but it still operates under the Verisign brand. So who knows if the compromise is related to the CA in any way. You can bet Symantec is upset with Verisign over this because now their purchase of Verisign's CA business may have just lost value due to the branding. What if it was the CA network that was compromised and then sold to Symantec? That would really lead to some legal fireworks!

So far we have DigiNotar, Comodo, Realtek, JMicron on the list of compromised certificate authorities and each of them has been used to create bogus certificates. Hundreds of fraudulent yet CA-signed certificates happily accepted by browsers have been found in the wild impersonating websites/intercepting traffic and nobody knows how many more exist. Iran was successfully using bogus certificates signed for to intercept gmail and google chat traffic which has likely lead to deaths, given the nature of that regime and their attitude towards dissenters:

The web browser you are using trusts hundreds of different certificate authorities (any one of which could generate a certificate to impersonate any website they want or be compromise and used to do so) including CNNIC from China. I don't trust CNNIC any further than I could throw Mao Tse Tung's corpulent carcass.

Verisign is a big company which provides many services and no doubt extensively subnets and divides up their networks as required by PCI among many other security standards. One would hope, for example, that the corporate office network (a very common way to infiltrate a network) is in no way connected to the DNS or CA infrastructure (now with Symantec but there could still be links) so that an intrusion in one of these areas would not affect the rest. I find these two paragraphs the most disturbing:

  The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange
  Commission filing in October that followed new guidelines on reporting
  security breaches to investors. It was the most striking disclosure to emerge
  in a review by Reuters of more than 2,000 documents mentioning breach risks
  since the SEC guidance was published.
  Ken Silva, who was VeriSign's chief technology officer for three years until
  November 2010, said he had not learned of the intrusion until contacted by
  Reuters. Given the time elapsed since the attack and the vague language in
  the SEC filing, he said VeriSign "probably can't draw an accurate assessment"
  of the damage.

The attacks were revealed only to the degree legally required by the SEC and buried in a quarterly 10-Q filing in the hope everyone would overlook it. The CTO wasn't informed (or isn't admitting to having been informed) and the whole thing was brushed under the rug for two years. That's way sleazy.

What does it mean for us? Probably not much, at least at first. If people understood how the CA system worked Verisign's brand would be affected and people would put less trust in their certificates and be less likely to input their credit card number. While it is the part of the system most people focus on, we don't pay a CA to encrypt our traffic. We can do that without them. We pay them to certify that our server is who it says it is. If the media were to run with the idea that the CA system is broken and untrustworthy (which it is) and that man-in-the-middle attacks are rampant (they happen but aren't common, relatively speaking) it could really hurt the e-commerce industry in general which would be bad for us.

Document Actions

Trustwave MITM cert

Posted by Tracy R Reed at Feb 10, 2012 10:43 AM
This looks like a pretty big oops:


CAs have issued certs for bogus entities before but never, as far as I know, have they issued a subordinate root cert. But Trustwave claims this is a common practice? I sure hope not as that would completely subvert the whole CA system! Can I just call them up and tell them I want a subordinate root cert for Copilotco so my IDS can decrypt my customers' traffic?

Trustwave MITM cert

Posted by Tracy R Reed at Feb 12, 2012 11:50 PM
This paper[…]/C5_APT_C2InTheFifthDomain.pdf about various APTs and their involvement in the SK Communications hack (with a connection with the RSA breach) shows a stolen certificate from YNK Japan Inc. used to sign malware. The more we look the more we find evidence of the brokenness of the CA system.

Mediyes uses Conpavi AG cert

Posted by Tracy R Reed at Mar 22, 2012 06:05 PM
From SANS NewsBites:

 --Trojan Uses Stolen Digital Certificate
(March 19, 2012)
A Trojan horse program known as Mediyes uses a digital certificate that
is signed by a Swiss company called Conpavi AG and issued by VeriSign.
Researchers at VeriSign's parent company Symantec say that the attackers
must have gained access to the private encryption key associated with
the Conpavi certificate. Symantec has revoked the certificate that was
used to sign the malware, which intercepts search engine queries and
redirects them to an advertising network server.[…]wiss-signature-1474758.html[…]/stolen_encryption_key_compromised_symantec_ce
[Editor's Note (Pescatore): The CA/Browser Forum recently met and
decided to "to form a working group on organizational reform. The task
of this group will be to develop and present to the full organization,
by April 16th, proposals for a new charter and bylaws." Drastic
improvement is badly needed - the sorry state of security around the
issuance of SSL and signing certificates continues to drive the value
of those certificates down and down and down.]

Flame MS cert

Posted by Tracy R Reed at Jun 05, 2012 11:08 PM

Gaming company certs stolen

Posted by Tracy R Reed at Apr 11, 2013 06:10 PM