I love it when there’s a scandal in the corporate world. Monumental gaffes are what makes working on the web so very entertaining sometimes. In this case, security giant ‘Verisign’, the supposed ‘Rolls Royce’ of the security world, have come monumentally unstuck.
Now when gaffes occur, it’s usually ok if you deal with it quickly and be seen publicly to take swift action to remedy any issues. We can all excuse an error, we are all only human after all and in some cases, the way a company deals with an issue can actually endear us to them when all is said and done.
In this case however, Verisign weren’t actually aware of a flaw in their own system until Comodo – the supposed ‘EasyJet’ of the security world pointed the problem out to them. Even after the fact they seemed rather slow in solving the issue and instead of making a big noise about it have chosen to try and quietly let it slip by. Well, I noticed – and I commend Comodo for their actions, which should ultimately make all those involved with online and pc security more vigilant of their own systems in future.
It just goes to show that you don’t have to overcharge for your products to make them better quality than your competitors. I would urge anyone interested in securing their website or home pc to visit Comodo and see what’s on offer. After all, they’re not just the best value security brand right now, they’re the safest!
Here’s Comodo’s take on what happened:
Comodo recently requested an independent third-party notify VeriSign of a security vulnerability affecting its customers Web sites, including a major financial institution. While Comodo was not in a position to fully evaluate the scope of the vulnerability, Comodo believed it to be a significant security concern for VeriSign’s customers (and users of their customer’s Web sites) that rely on secure SSL Digital Certificates to transmit business and personal data.
Comodo urged VeriSign to take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this vulnerability. Comodo followed the Vulnerability Disclosure Guidelines of the Common Computing Security Standards Forum (CCSS) by using an independent third-party as a medium for disclosure. It provided a disclosure document to VeriSign outlining the vulnerability.
VeriSign Underestimated the Problem, Reluctantly Acknowledging & Making Some Fixes
Comodo acknowledged that VeriSign has made some recent fixes to its security issues that were identified by Comodo.
“We are pleased to see that some of the security flaws have now been addressed by VeriSign, along with an acknowledgement letter we received today from VeriSign recognizing the problem,” said Comodo CEO Melih Abdulhayoglu. “However, in our initial request we asked that VeriSign take immediate steps to correct and remediate the vulnerability and notify all their customers who may be affected by this security vulnerability and I truly hope that those steps have been taken.”
Some Fixes Which Have Taken Place
The revoke option button for SSL certificate functionality is no longer available through the public site, effective June 24th.
Google is no longer making information accessible through domain names, effective yesterday
Administrator details such as emails are no longer visible on the public site, effective yesterday
However, there are still issues that need to be addressed, such as publicly accessible lists of fully qualified domain names.