Shostack + Friends Blog Archive

 

Dear Verisign: Trust requires Transparency

On their blog, Verisign made the following statement, which I’ll quote in full:

As disclosed in an SEC filing in October 2011, parts of Verisign’s non-production corporate network were penetrated. After a thorough analysis of the attacks, Verisign stated in 2011, and reaffirms, that we do not believe that the operational integrity of the Domain Name System (DNS) was compromised.

We have a number of security mechanisms deployed in our network to ensure the integrity of the zone files we publish. In 2005, Verisign engineered real-time validation systems that were designed to detect and mitigate both internal and external attacks that might attempt to compromise the integrity of the DNS.

All DNS zone files were and are protected by a series of integrity checks including real-time monitoring and validation. Verisign places the highest priority on security and the reliable operation of the DNS.

This does not suffice to restore my trust in a company to which we have delegated trust decisions across thousands of websites. Verisign concealed a breach from us, and possibly from its own management, according to Joseph Menn, who reports:

The 10-Q said that security staff responded to the attack soon afterward but failed to alert top management until September 2011. It says nothing about a continuing investigation […]

Reasonable people can differ on what constitutes a thorough analysis. Reasonable people can differ on response activity. We can probably all learn a lot from what happened. Reasonable people can’t argue that Verisign has paid some PR cost, and that they’ll continue to pay it until those who are supposed to trust them are satisfied. That satisfaction requires more than the statements made above. I’m sure Verisign would prefer that the story go away, in which case they should release the report today (with whatever minor redactions are appropriate).

If Verisign has what they believe is a thorough analysis, they need to release as a step along the way to restoring trust in their ability to operate important parts of the internet infrastructure. And Verisign need to release real information soon, before the technical public come to see them as stonewalling.

[Update: Welcome, Schneier blog readers! I wanted to clarify the status: we have a very data-free set of assertions from someone claiming to be a Symantec employee. We do not yet have a detailed report on the investigation that addresses who knew what when, and how they knew it.]

8 comments on "Dear Verisign: Trust requires Transparency"

  • LonerVamp says:

    Yeah, assurances don’t really go that far with some people, including myself.

    My gut tells me that September 2011 month is curiously lined up with the death of Diginotar. I wouldn’t be surprised if either “top mgmt” finally asked questions, or if security managers finally bit the bullet and pushed the information upward.

    Considering how busy “top mgmt” is with everything else, I’d personally say some of both of my gut feelings are correct…

  • Allen says:

    To be clear, Verisign, Inc. was compromised, not the Verisign security product lines that were acquired by Symantec.

    Symantec (my employer) was not compromised.

  • John says:

    @LoverVamp “…September 2011 month is curiously lined up with the death of Diginotar.”

    Another factor is that the SEC issued new guidance on disclosure of breaches in early October, a couple of weeks before their filing. Not declaring breaches that are material to business now has consequences…

  • Dave says:

    @Allen, yupp, Symantec has been breached much earlier, and only finding it out now, which is mildly embarrassing: http://goo.gl/ieV3X
    And since Symantec has gone to great lengths to rename Verisign to Norton it makes no sense to distance itself now; the least it can do is embrace Transparency wholly as suggested here, or would it rather be remembered like RSA?

  • Gary McGath says:

    “Reasonable people can’t argue that Verisign has paid some PR cost…” Is this the opposite of what you meant? To argue that something is so is to say it _is_ so and give reasons.

  • anon says:

    “Trust” is as you say, “Requires Transparency”. Their users / customers / everyone are required to trust them. They are not required to be transparent. one of these requirements is required to change… (… point laboured?)

  • Chris says:

    So if they’re saying that DNS was not breached, does that mean that everything *else* they do, which they didn’t say wasn’t breached, *was* breached?

  • Nick says:

    Trust /= Transparency. Transparency removes the opportunity for deceit.

Comments are closed.