Who to trust after the VeriSign hack?

This is something Rob Rachwald, director of security strategy at Imperva, picked up on when he noted "a growing number of web applications are delivered over the HTTPS protocol (HTTP over SSL) with attackers increasingly focusing their attacks against the various components of SSL." Rachwald claimed his researchers are already seeing a rise in attacks which target the worldwide infrastructure that supports SSL.

Meanwhile, Catalin Cosoi, global research director at security vendor BitDefender, thinks enterprise trust may already be shattered by the VeriSign breach.

The potential for some nasty security surprises is going to linger for a while.

"A valid digital signature is a crucial requirement of 64-bit operating systems whenever a critical piece of software tries to install itself. VeriSign is one of the most important enterprise trust authorities in the world, which delivers people safely to more than half the world's websites," Cosoi said.

"A certificate issued by VeriSign will automatically be accepted by both browsers and operating systems. This kind of incident practically voids all the security provided by 64-bit operating systems."

Cosoi concluded his statement on the breach disclosure with a worst case scenario, painting a picture of "several phishing attacks with valid certificates that browsers will render as legit" and which would "potentially yield a huge level of data that could be exploited for financial gain."

But there is one small detail that just about everyone seems to be missing here: there is absolutely no evidence to suggest that the SSL certification network was compromised at all. In fact, it would appear more likely to have escaped intact.

First of all the SSL certificate and code signing side of the VeriSign business was acquired by Symantec in 2010, at a time when Paul Meijer was director of infrastructure operations. Meijer continues that same role now for Symantec Authentication Services (which includes SSL and PKI amongst others) and is insistent that the authentication networks were not compromised by the breach.

Meijer said in a blog post that "at the time the breach occurred, VeriSign was running a separate production network to host the Authentication Services 'Cloud' of SSL, PKI, VIP, and FDS."

"When the Authentication Services business moved over to Symantec, we continued to employ the practice of this separate production network. This segregation prevents breaches on the corporate network from infecting the production network.

"Symantec's production network is completely separate from VeriSign's corporate network. Additionally, our development environment also resides on a separate network from the corporate systems network, and is hosted only in a Symantec-owned facility. Finally, the VeriSign root keys, which form the basis of SSL trust, are kept in an offline state and are never accessible on a network."

I'm not usually one to stand up for Symantec, but on this occasion it would seem that 'what if' fever has infected the media and security vendors alike, when there is nothing to actually suggest SSL certificates have been compromised.

I am not, for one moment, underplaying the seriousness of the breach. The potential for some nasty security surprises is going to linger for a while. Yet what the media, and anyone with an interest in keeping their data secure, should be doing is not speculating about certificate-based transactional security but rather putting pressure on VeriSign to come clean and tell us what was, as opposed to what was not, hacked.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.