14 DAY TRIAL // It started with Comodo coming across an issue that it considered a major security vulnerability affecting VeriSign customers. The security outfit leveraged a third party to notify VeriSign of the flaw in its enterprise SSL Certificate requesting process, and went on to urge the rival company to correct the problem and notify its customers. VeriSign replied by downplaying the Comodo report, and saying that there were no actual security vulnerabilities in its offerings.
Melih Abdulhayoglu, chief executive officer and founder of Comodo, explained that the issue reported involved coming across VeriSign account public access pages by using nothing more than search and specific keywords. Abdulhayoglu warned that hackers could brute-force their way into the accounts, seeing that access was one pass-phrase away.
“When we uncovered this serious security vulnerability, we knew we had to do the right thing to notify VeriSign immediately to correct the design problem,” Abdulhayoglu said. “With millions of customer's financial transactions at stake, we wasted no time to help correct the problem even though it wasn't ours to begin with.”
Tim Callan, product marketing executive for VeriSign's SSL business unit, denied that the issue reported by Comodo was in any way a security vulnerability. He noted that it was a common practice with enterprise customers to simplify the mechanism in which individuals within a specific organization could request SSL Certificates for projects.
“Comodo was able to locate and gain access to a certificate request page from a large financial institution,” Callan stated. “By their nature these pages are publicly accessible, and access to these pages does not constitute a security flaw. There is no private information available from these pages, and certificate requests go through evaluation by the enterprise's designated certificate administration body before any certificate is issued. Comodo's claim that it detected a ‘major security vulnerability’ that affects ‘its customers' Web sites, including a major financial institution’ is categorically false.”