Who to trust after the VeriSign hack?

Security

It's difficult to know who or what to trust these days.

Head over to the VeriSign website and you will be met by the bold claim that the Secure Sockets Layer (SSL) and code signing certificate services business which specialises in online identity and authentication will "build trust every step of the way" so as to ensure that you can "Trust your link. Trust your site. Trust your transaction."

But just how waterproof are those claims from the company which was acquired by Symantec back in August 2010, especially following the news that VeriSign had been hacked "successfully and repeatedly" that year.

Researchers are already seeing a rise in attacks which target the worldwide infrastructure that supports SSL.

The finding came thanks to the US law that requires companies to report breaches. A Reuters review of a couple of thousand documents contained in a filing by the US Securities and Exchange Commission (SEC) late last year showed VeriSign was hacked repeatedly during 2010 but the senior management team were not informed of the attacks until September 2011.

In that SEC filing, VeriSign admitted it "faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers." Although VeriSign remained quiet at the time of the filing, and still remains silent to this day as to exactly what information was accessed and what parts of its network was successfully breached, perhaps the most worrying section of the filing is the admission that "given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

VeriSign has gone on to make an official statement which insists that after a "thorough analysis of the attacks... we do not believe that the operational integrity of the Domain Name System (DNS) was compromised" and "we have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish." This was good to know as nobody wants the DNS to be compromised, but it still didn't reveal what was compromised, only leading to much speculation regarding the integrity of its SSL certificates.

This should come as no surprise to anyone with an interest in matters of transactional security, as the whole 'is SSL dead?' debate has been raging for quite some time. Indeed, I myself covered this very subject over at our sister publication PC Pro back in May last year when I asked whether online shopping security was fundamentally broken.

Back then I was asking if the certificate-based trust model used for just about every financial transaction was secure enough in the light of certificate-related breaches such as Stuxnet which included device drivers signed using compromised certificates to give an impression of validity.

Then there was the hacker who compromised a Comodo reseller and generated a whole bunch of fake SSL certificates as a result. It was more than a week after the breach was discovered that all the major browsers had updated their certificate information to ensure users were not at risk from sites bearing the fake ones. And who recalls the DigiNotar fuss last year with fake certificates issued in order to impersonate Gmail amongst other services?

Going back even further, in 2008 I reported here at IT Pro about two years of compromised Linux security based around a vulnerability in the Debian OpenSSL cryptographic libraries and in 2009 I was already asking the 'is SSL secure?' question following a demonstration at Black Hat Las Vegas of man-in-the-middle attacks exploiting flaws in SSL to intercept traffic using a null-termination certificate.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.