Ben Laurie blathering

Verisign Demonstrate Their Lack of Integrity

On the 7th of May, 2008, Debian fixed the now famous OpenSSL Weak PRNG bug. So, I’m pretty stunned to read, over 9 months later, Verisign’s newsletter saying

Earlier this year, the Debian organization discovered a vulnerability that weakened the system’s Random Number Generator, making SSL encryption predictable

Err, earlier last year. A lot earlier.

They go on to say

We have identified which customers were affected. If one of your customers has a weak certificate, we’ll send you details on how to resolve the situation, with templates for talking to customers about the problem and policies for replacing weak certificates.

Affected certificates must be replaced as soon as possible. VeriSign will begin revoking any certificates that are still affected by this vulnerability in early 2009.

Well, that’s mighty big of you, Verisign! You’ve left your customers exposed to this problem for over 9 months – even if they replace the certificates, they are still vulnerable to attack, of course – and now that 75% of vulnerable certificates have expired, you’re beginning to think you might start revoking them. Soon. Let me guess – does “early 2009” mean May? I’m sure you wouldn’t be so cynical as to wait until there were no certificates to revoke, would you?

By the way, if anyone gets the details on “how to resolve the situation” from Verisign I’d be very interested to see them. I wonder how much the resolution will cost?

Update: A former Verisign employee pointed out Verisign’s values

…We exercise integrity in all aspects of our business. And with ferocious drive, we take the initiative to carry out all actions with exceptional execution by acting decisively…

If this is ferocious, I wonder what Verisign’s version of laid-back looks like?

1 Comment

  1. Without commenting on the delay; for some time Verisign have sold SSL certs with two and three year expiries, so it won’t be 100% expired bad certificates by May even if they waited.

    Comment by Mark Cox — 15 Jan 2009 @ 10:27

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress