VeriSign refutes competitor's vulnerability claimSSL customer account constitutes a vulnerability.
Through a Google search query, Comodo employees last week discovered the certificate request page for Bank of America, a VeriSign customer, Melih Abdulhayoglu, CEO and president of Comodo, told SCMagazineUS.com on Wednesday.
“Why are you making your security application accessible by Google?” Abdulhayoglu said. “That's security architecture 101. You don't let Google index important information like that. It serves no purpose whatsoever.”
A Bank of America spokesperson could not immediately be reached for comment.
But Tim Callan, product marketing executive for VeriSign's SSL business unit, told SCMagazineUS.com on Wednesday that many large enterprises use publicly accessible certificate request pages as a single point of control to manage SSL certificate requests that may be coming in from employees located all over the world.
There is no private information available on these pages, he added.
“Comodo found the certificate request page for a financial institution,” Callan said. "That is not a security flaw. That is a common, public-facing page."
The impact of the alleged vulnerability in VeriSign's enterprise SSL certificate requesting process extends farther than one financial institution, Abdulhayoglu said.
Other VeriSign customer information, including domain names, administrator details and SSL certificate revoking functionality, also is accessible through Google and other search engines, he said. This information could be used to revoke an SSL certificate via brute force attack, conduct mass phishing campaigns or targeted attacks against specific users or domains.
“None of this constituents a major security flaw,” Callan said. “It's highly debatable whether it's a security flaw at all. These things they are talking about are incredibly obscure, and it's hard to see where there is really an attack associated with that.”
Callan said that due to the increased attention of the issue, VeriSign has put in place additional monitoring to detect against possible brute force attacks against Bank of America's website.
Meanwhile, VeriSign has questioned Comodo's disclosure of the alleged flaw.
Comodo said that it followed ethical security disclosure standards set forth by the Common Computing Security Standards Forum (CCSS) by using an independent third-party as its medium for disclosure. In addition, it provided to VeriSign a disclosure document outlining the vulnerability one week before going public.
VeriSign on the other hand, said that Comodo did not follow CCSS standards, which state that a security vendor must mutually negotiate the strategy and timeline for both disclosure and mitigation of the vulnerability.