Newsletters

Inside Scoop

Comodo Notified VeriSign of Major Security Vulnerability and Urges VeriSign to Correct, Remediate and Notify its Customers

Comodo recently requested an independent third-party notify VeriSign of a security vulnerability affecting its customers Web sites, including a major financial institution. While Comodo was not in a position to fully evaluate the scope of the vulnerability, Comodo believed it to be a significant security concern for VeriSign's customers (and users of their customer's Web sites) that rely on secure SSL Digital Certificates to transmit business and personal data.

Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability. Comodo followed the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a medium for disclosure. It provided a disclosure document to VeriSign outlining the vulnerability.

VeriSign Underestimated the Problem, Reluctantly Acknowledged Making Some Fixes

Comodo acknowledged that VeriSign has made some recent fixes to its security issues that were identified by Comodo.

"We are pleased to see that some of the security flaws have now been addressed by VeriSign, along with an acknowledgement letter we received today from VeriSign recognizing the problem," said Comodo CEO Melih Abdulhayoglu. "However, in our initial request we asked that VeriSign take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this security vulnerability and I truly hope that those steps have been taken."

Some Fixes Which Have Taken Place

  • The revoke option button for SSL Certificate functionality is no longer available through the public site, effective June 24th.
  • Google is no longer making information accessible through domain names, effective yesterday

Administrator details such as emails are no longer visible on the public site, effective yesterday

However, there are still issues that need to be addressed, such as publicly accessible lists of fully qualified domain names.