A short clip about the benefits of VeriSign SSL Certificates. VeriSign is available from ServerTastic at fantastic discounts. VeriSign certificates will also soon support the seal in search technology and website malware scans. More details to come!
Please give it a try and let us know your comments. (You can also provide feedback via FaceBook, Twitter and LinkedIn).
Comments [0]
Today we saw some news stories about supposed vulnerabilities in VeriSign's enterprise SSL Certificate requesting process. These stories are based on a press release and outside press briefings from Comodo claiming to have found a "major security vulnerability" in VeriSign's SSL offering. These stories are incorrect. I have written this FAQ to clear up the misinformation that's floating around right now.
Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
A. No.
Q. What are the claimed vulnerabilities that Comodo announced?
A. Many large enterprises use a workflow whereby individuals within the organization can request SSL Certificates for the projects they're working on. Requests from these pages go to administrators, who then evaluate whether or not to issue the certificates. Comodo was able to locate and gain access to a certificate request page from a large financial institution.
By their nature these pages are publicly accessible, and access to these pages does not constitute a security flaw. There is no private information available from these pages, and certificate requests go through evaluation by the enterprise's designated certificate administration body before any certificate is issued. Comodo's claim that it detected a "major security vulnerability" that affects "its customers' Web sites, including a major financial institution" is categorically false.
Q: What is the effect on VeriSign's customers' web sites?
A: There is no effect on VeriSign's customers' web sites. Customers are not required to take any action and are at no risk.
Q. What is the severity of these alleged vulnerabilities?
A. VeriSign does not believe Comodo discovered or announced any serious vulnerability for our customers or users of our customers' web sites. Sensitive information and actions that carry meaningful consequences to the enterprise are all protected by a separate administrator control center which is not accessible without a special administrative certificate and not the subscriber web page Comodo found. We deliberately designed our workflow to meet the needs of all members of the enterprise without compromising security, and in this instance that design is doing its job.
Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
A. No.
Q. Will VeriSign be making any changes to its products based on this announcement?
A. We currently have monitoring in place to detect possible brute force attacks against the subscriber web page. Based on the increased attention this release is likely to cause, we're implementing additional safeguards to redundantly ensure that these pages are not susceptible to exploit.
Q. Comodo's release stated that it followed the CCSS ethical security disclosure standards. Is that correct?
A. No. Section 7.2.iii and 9.1.i of these guidelines clearly state that the discloser and the security vendor will mutually negotiate the strategy and timeline for both disclosure and mitigation of the vulnerability. Comodo did not make VeriSign aware of the planned timing of this morning's press release or the content of that release. If Comodo had briefed us on the content of this release in advance, we could have corrected the egregious errors the release contained.
Had the content of this release constituted an actual major security flaw (which it did not), one week's notice may not have been enough time to fix any flaw, and Comodo did not consult with VeriSign to determine a safe disclosure schedule. With 93% of the Fortune 500 and 97 of the world's 100 largest SSL-using banks choosing SSL Certificates from VeriSign, it's fortunate that Comodo was incorrect in its assessment of security risks.
Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.
Q. Does VeriSign actively search competitive SSL products for security vulnerabilities?
A. No.
FAQ produced by Tim Callan of VeriSign about the recent "Security Exploit" Comodo claim to have discovered.
Comments [0]
Two exciting things have happened today. The Queen drove past the office and Symantec announced it's purchase of VeriSign Security. I am guessing you are interested in what the Symantec/VeriSign deal means to ServerTastic and the SSL market place.
So far the info I have is that it is business as usual. The certificates will still be issued as normal. The only real nugget of information is from theSymantec press release which states
Following the close of the transaction, Symantec plans to incorporate the VeriSign check mark into a new Symantec logo to convey to users that it is safe to communicate, transact commerce and exchange information online.
However the purchase also includes the rights to the VeriSign check mark. As this is so universally recognised I would imagine/hope that this remains in some form in any redesign.
Symantec have also launched a VeriSign themed website. The yellow circle with tick indicates what could be to come but that is my pure speculation.
It is an interesting development in the internet security webspace. VeriSign are left with the highly profitable domain registry for .net and .com while Symantec are moving into providing the whole suite of validation and security services.
So to clarify at present it is business as usual. You can still purchase VeriSign, Geotrust, RapidSSL and thawte certificates from ServerTastic.
Comments [0]
Symantec buying VeriSign's Web-security armBy JORDAN ROBERTSON (AP) – 1 hour ago
SAN FRANCISCO — Symantec Corp.'s decision to pay $1.28 billion to buy a division of VeriSign Inc. that sells security technology to websites highlights how quickly the companies are moving in opposite directions.
Symantec, best known for its antivirus software for personal computers, wants to secure more things.
With the VeriSign deal, announced Wednesday, Symantec will have spent nearly $3 billion in two years acquiring technologies that make it a bigger player in other parts of the security market, such as protecting data on mobile phones and delivering software over the Internet.
Meanwhile, VeriSign, whose brand is ubiquitous on the Web for protecting online transactions, wants to secure fewer things.
It wants to focus instead on a lesser-known but more robust part of its business: managing traffic to websites with addresses ending in ".com" and ".net," and collecting fees for registering those domain names.
VeriSign has been purging divisions for the past three years, after realizing it was spread too thin following a buying binge designed to insulate it from the kinds of problems it had after the dot-com collapse a decade ago.
Prior to Wednesday's deal with Symantec, VeriSign had sold more than a dozen businesses since 2007 for a total of nearly $1 billion. Some were curious choices for VeriSign to have in the first place, such as a division that did billing services for telecommunications companies and another that sold ring tones and insurance for mobile phones.
What Symantec gets out of the VeriSign deal is one of the Web's best-known brand names for security.
VeriSign's logo — a check mark and the tag "VeriSign Secured" — is ubiquitous on websites that have bought its security technology. The VeriSign division that Symantec is buying sells "certificates" to websites that want protection for their customers' data. The Secure Sockets Layer, or SSL, certificates allow data to be encrypted between a user's browser and a website's servers. A padlock icon appears on a user's browser when that technology is being used.
The certificate business has long been a cornerstone for VeriSign, but has come under pressure in recent years.
In part, that's because cheap SSL certificates sold by other companies are easy to come by. The competition has forced VeriSign to sell more of its cheaper SSL certificates, too, even though their security measures are weaker.
Revenue in that division rose just 3 percent last year to $410 million, while revenue in VeriSign's domain-name division jumped 12 percent to $616 million.
Still, at the end of last year, more than 1 million sites were using VeriSign's SSL certificates, making the business an attractive target for a company such as Symantec looking to extend its brand.
The deal is expected to close in the September quarter. Symantec said it expects the transaction to reduce its adjusted earnings by 9 cents per share for the current fiscal year. It won't add to adjusted profit until the September quarter of next year.
The business VeriSign is left with is a lucrative one, but whose weakness following the dot-com collapse was a key reason VeriSign went on a tear with its acquisitions.
VeriSign is critical in steering Internet traffic to ".com" and ".net" Web sites. Its directories help Internet computers locate websites and know where to send e-mail.
The company makes its money by collecting a fee every time someone registers or renews a domain name ending in ".com" or ".net." Although Web site owners buy names through third parties, VeriSign gets fees as operator of the ".com" and ".net" registries.
Those fees generally go up each year, and as of July 1 will be $7.34 per ".com" name and $4.65 per ".net" name. Those fees add up with some 85 million ".com" names and 13 million ".net" names registered — and they account for the bulk of revenue in the domain-name division.
Symantec shares were up 2 cents in extended trading. They had fallen 32 cents, or 2 percent, to close the regular trading session at $15.63. VeriSign shares rose 83 cents, or 3 percent, to $28.82 in extended trading, after falling 24 cents to close at $27.99.
Both companies are based in Mountain View, Calif.
Copyright © 2010 The Associated Press. All rights reserved.
Some surprising news was announced last night! At the moment this means nothing changes on ServerTastic but we will keep you updated.
Comments [0]
During the second half of 2010 VeriSign, Thawte, Geotrust and RapidSSL certificates will transition to use a 2048-bit root.
Comments [0]
VeriSign have launched the VeriSign Trust Seal. This is designed for websites that do not collect customer or payment information online and therefore do not need a VeriSign SSL certificate but want to establish trust.
At the moment the trust seal is not available to VeriSign resellers (such as ServerTastic). It is anticipated that this will become available during May 2010. We will then investigate pricing for our customers.
Comments [0]
Customers purchasing their RapidSSL, Geotrust, thawte or Verisign SSL certificate from ServerTastic are now able to manage their SSL certificate orders and perform the following actions:
Comments [2]
There have been a number of attacks aimed at SSL Certificates demonstrated at the recent Black Hat event in Las Vegas. VeriSign have confirmed that non of the certificates issued within the VeriSign group are susceptibale to these attacks. This includes RapidSSL , thawte and Geotrust.
This was confirmed on Tim Callans SSL Blog. I have pasted the relevent excerpts below
Use of null Characters
The focus of this presentation was various ways to use null characters to fool browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued. The idea is that the attack would give the online criminal the ability to put up a certificate on what appears to be the exact same domain name as the targeted site. sslstrip accomplishes this feat through a Man-in-the-Middle attack and uses the null-character certificate to create its false certificates on the fly.
I'm pleased to say that none of VeriSign's SSL Certificates on any brand allow null characters, meaning that you can't use any of our certificates in the attack detailed today. While the fundamental problem needs to be solved by the client software that trusts these certificates, we still prefer not to be contributing to the problem. And until these problems are solved at the source, EV SSL is a great interim solution. The detailed attack will not work against EV SSL (as agreed by Mr. Marlinspike during the Q and A session after his talk), which means that sites have the power to defend themselves against null character attacks and in fact all attacks using sslstrip.
MD2 No Longer Secure
Kaminsky covered several topics which had SSL as a common theme. Interestingly, he also revealed his own work with null characters, which was very similar to Marlinspike's. In addition, Kaminsky talked about pre-image attacks against MD2, which he expects to be viable this calendar year. He reports that MD2 is not trusted or soon to not be trusted on these applications and platforms: Firefox, OpenSSL, Red Hat, Opera, Apple, Microsoft, Google, and VeriSign. Here I can be more specific. As of May 2009, VeriSign is issuing its SSL Certificates on all brands using SHA-1.
Leading Zeros
Kaminsky also described a "leading zero attack," by which a certificate can fool client software by essentially attaching an invisible zero to the first hex character in the certificate. Again, I'm happy to tell you that VeriSign won't issue SSL Certificates with leading zeros on any of our brands.
Comments [0]
VeriSign have announced that they have issued 4 million SSL Certificates since 1995.
Full press release below:
In 14 Years as SSL Pioneer and Market Leader, VeriSign and Its Brands Make Trusted Interactions Possible for Millions of Web Sites and Services
MOUNTAIN VIEW, CA -- (Marketwire) -- July 27, 2009 -- VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced that it has issued more than 4 million Secure Sockets Layer (SSL) Certificates. The total includes certificates issued by VeriSign under all four of its SSL brands: VeriSign®, GeoTrust®, thawte®, and RapidSSL®.
Since 1995, the company has served as a trusted third party and Certificate Authority responsible for issuing and authenticating a range of digital certificates designed to protect online businesses and their customers by:
-- Encrypting sensitive information during online transactions -- Authenticating the identity of certificate owners -- Warning when certificates are invalidUnder its four brands, VeriSign issues, authenticates and manages a range of certificates that are vital to the secure and trusted operation of the Internet, Web-based applications, and services requiring digital IDs, including:
-- SSL Certificates. VeriSign provides secure SSL encryption to Web sites protected by all VeriSign SSL Certificates brands, enabling trusted e- commerce, communications, and interactions on Web sites, intranets, and extranets. -- Extended Validation (EV) SSL Certificates. EV SSL protection provides Web users using high security browsers with immediate visual confirmation that they've reached a site whose authenticity has been independently verified by VeriSign. -- Server-Gated Cryptography (SGC) Certificates. VeriSign's SGC Certificates enable every Web site visitor to connect using the strongest encryption for which their systems are capable. -- Code Signing Certificates. VeriSign® Code Signing creates a digital "shrink-wrap" for code and content to protect software publishers and users when they download code and content over the Internet and mobile networks. -- PKI Certificates. VeriSign protects enterprises, government agencies and others with a flexible platform enabling complete management of digital certificates for authentication, encryption and digital signing.The milestone of issuing more than 4 million SSL certificates underscores how VeriSign is essential to enabling secure online transactions around the world. The company has issued more than 12,000 EV SSL Certificates, making VeriSign the far-and-away market leader with a 74 percent share of the EV SSL market. And every day, VeriSign conducts up to 1 billion Online Certificate Status Protocol (OCSP) checks -- the most timely and efficient way for Web browsers to determine whether an SSL or user certificate is still valid or has been revoked and a key indicator of secure sessions initiated using VeriSign SSL Certificates.
VeriSign also plays a vital role in Public Key Infrastructure (PKI) deployments, which use digital certificates for authentication, encryption and digital signing. In the past 14 years, VeriSign has issued and managed tens of millions of PKI certificates for thousands of customers throughout the world.
"As the world's leading SSL Certificate Authority, VeriSign understands that when customer trust is paramount, second best is never nearly good enough," said Tim Callan, vice president of product marketing at VeriSign. "Now more than ever, in a marketplace that is truly global and increasingly competitive, protecting a Web site, application or service with VeriSign is an investment that pays dividends every day."
Comments [0]
Comments [0]