Verisign pwnz0red: Reuters report
Written by
CEO and Publisher
An interesting news piece hit the wires overnight describing the 2010 breach of a handful of Verisign's corporate systems.
The story was broken by the Reuters news agency and is peppered with sensational quotes like a former NSA and DHS guy saying "ZOMG this will end the interwebz" despite the fact the guy knows about as much as we do about the breach. You can read the whole thing here.
It’s interesting for several reasons. Firstly, the reason we know about this event is because it was disclosed in the company’s SEC filings. Secondly, Verisign is a very important company when it comes to the issuance of digital certificates. And finally, the story is made all the more fascinating by the vagaries of the disclosure. The filing is a tad light on specifics, like what data was actually "exfiltrated".
It’s also a sad sign of what's become of the technology media. The breach was disclosed in an SEC filing back in October, but has only hit the news now.
Symantec says there's no evidence to suggest the breach affected its SSL systems, which, if true, means the story as reported is a bit of a beat up.
I suspect this breach is unlikely to be of the magnitude of the RSA hack or Aurora attacks against Google. If anything it tells us more about the sorts of disclosures we're likely to see in future SEC filings in the USA.
But who knows? Sometimes these stories are slow burners...
Either way, the fact that no one would be surprised if Verisign's SSL boxes got pwned is proof enough that browser manufacturers need to redouble their efforts in protecting users from man-in-the-middle attacks performed with illicitly issued but "technically legitimate" certificates. I believe Chrome already pins certs for most major websites and IE might already do it too.
What does your gut feel say? Drop us a comment!
Find Patrick Gray on Twitter.