Cryptography Lessons
Tracy r reed   |  

Verisign intrusion

What does it mean for CAs and our business?
Verisign has had some sort of intrusion, apparently: Key Internet operator VeriSign hit by hackers

Note that the Verisign CA business was sold to Symantec a couple of years ago (about when the attack happened) but it still operates under the Verisign brand. So who knows if the compromise is related to the CA in any way. You can bet Symantec is upset with Verisign over this because now their purchase of Verisign's CA business may have just lost value due to the branding. What if it was the CA network that was compromised and then sold to Symantec? That would really lead to some legal fireworks!

So far we have DigiNotar, Comodo, Realtek, JMicron on the list of compromised certificate authorities and each of them has been used to create bogus certificates. Hundreds of fraudulent yet CA-signed certificates happily accepted by browsers have been found in the wild impersonating websites/intercepting traffic and nobody knows how many more exist. Iran was successfully using bogus certificates signed for to intercept gmail and google chat traffic which has likely lead to deaths, given the nature of that regime and their attitude towards dissenters:

The web browser you are using trusts hundreds of different certificate authorities (any one of which could generate a certificate to impersonate any website they want or be compromise and used to do so) including CNNIC from China. I don't trust CNNIC any further than I could throw Mao Tse Tung's corpulent carcass.

Verisign is a big company which provides many services and no doubt extensively subnets and divides up their networks as required by PCI among many other security standards. One would hope, for example, that the corporate office network (a very common way to infiltrate a network) is in no way connected to the DNS or CA infrastructure (now with Symantec but there could still be links) so that an intrusion in one of these areas would not affect the rest. I find these two paragraphs the most disturbing:

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange
Commission filing in October that followed new guidelines on reporting
security breaches to investors. It was the most striking disclosure to emerge
in a review by Reuters of more than 2,000 documents mentioning breach risks
since the SEC guidance was published.
Ken Silva, who was VeriSign's chief technology officer for three years until
November 2010, said he had not learned of the intrusion until contacted by
Reuters. Given the time elapsed since the attack and the vague language in
the SEC filing, he said VeriSign "probably can't draw an accurate assessment"
of the damage.

The attacks were revealed only to the degree legally required by the SEC and buried in a quarterly 10-Q filing in the hope everyone would overlook it. The CTO wasn't informed (or isn't admitting to having been informed) and the whole thing was brushed under the rug for two years. That's way sleazy.

What does it mean for us? Probably not much, at least at first. If people understood how the CA system worked Verisign's brand would be affected and people would put less trust in their certificates and be less likely to input their credit card number. While it is the part of the system most people focus on, we don't pay a CA to encrypt our traffic. We can do that without them. We pay them to certify that our server is who it says it is. If the media were to run with the idea that the CA system is broken and untrustworthy (which it is) and that man-in-the-middle attacks are rampant (they happen but aren't common, relatively speaking) it could really hurt the e-commerce industry in general which would be bad for us.