Who to trust after the VeriSign hack?

Davey Winder questions what data was stolen from VeriSign and wonders why the company hasn't been more forthcoming.

It's difficult to know who or what to trust these days.

Head over to the VeriSign website and you will be met by the bold claim that the Secure Sockets Layer (SSL) and code signing certificate services business which specialises in online identity and authentication will "build trust every step of the way" so as to ensure that you can "Trust your link. Trust your site. Trust your transaction."

But just how waterproof are those claims from the company which was acquired by Symantec back in August 2010, especially following the news that VeriSign had been hacked "successfully and repeatedly" that year.

Researchers are already seeing a rise in attacks which target the worldwide infrastructure that supports SSL.

The finding came thanks to the US law that requires companies to report breaches. A Reuters review of a couple of thousand documents contained in a filing by the US Securities and Exchange Commission (SEC) late last year showed VeriSign was hacked repeatedly during 2010 but the senior management team were not informed of the attacks until September 2011.

In that SEC filing, VeriSign admitted it "faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers." Although VeriSign remained quiet at the time of the filing, and still remains silent to this day as to exactly what information was accessed and what parts of its network was successfully breached, perhaps the most worrying section of the filing is the admission that "given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information."

VeriSign has gone on to make an official statement which insists that after a "thorough analysis of the attacks... we do not believe that the operational integrity of the Domain Name System (DNS) was compromised" and "we have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish." This was good to know as nobody wants the DNS to be compromised, but it still didn't reveal what was compromised, only leading to much speculation regarding the integrity of its SSL certificates.

This should come as no surprise to anyone with an interest in matters of transactional security, as the whole 'is SSL dead?' debate has been raging for quite some time. Indeed, I myself covered this very subject over at our sister publication PC Pro back in May last year when I asked whether online shopping security was fundamentally broken.

Back then I was asking if the certificate-based trust model used for just about every financial transaction was secure enough in the light of certificate-related breaches such as Stuxnet which included device drivers signed using compromised certificates to give an impression of validity.

Then there was the hacker who compromised a Comodo reseller and generated a whole bunch of fake SSL certificates as a result. It was more than a week after the breach was discovered that all the major browsers had updated their certificate information to ensure users were not at risk from sites bearing the fake ones. And who recalls the DigiNotar fuss last year with fake certificates issued in order to impersonate Gmail amongst other services?

Going back even further, in 2008 I reported here at IT Pro about two years of compromised Linux security based around a vulnerability in the Debian OpenSSL cryptographic libraries and in 2009 I was already asking the 'is SSL secure?' question following a demonstration at Black Hat Las Vegas of man-in-the-middle attacks exploiting flaws in SSL to intercept traffic using a null-termination certificate.