Internet security company VeriSign has acknowledged issuing two Microsoft digital certificates to an imposter, raising doubts in many quarters about the consistency of Internet identification practices.
With VeriSign and Microsoft struggling to retract the mistake, security experts are worried that the breach will have serious implications.
A digital certificate is issued to verify that a message is really from the sender. In this case, observers fear malicious code will be offered as originating from Microsoft and thus safe to download. Once downloaded, the code could wreak havoc.
On Jan. 29 and Jan. 30, VeriSign issued a certificate each day to someone posing as a Microsoft employee, then sent confirmation to Microsoft of the issuance. Microsoft responded that it had not requested certificates on those dates. A VeriSign official said March 23 that the firm had not followed proper procedures.
Alarms about the incident are still ringing. "If one of the most sophisticated companies on the planet cant get its certificate management right, what hope is there for the rest of us?" asked Steve Bellovin, research scientist at AT&T and member of the Internet Architecture Board.
"Its hard to imagine this is a purely isolated circumstance," said Jerry Brady, vice president of research and development at Guardent, a security services firm.
VeriSign Vice President Mahi deSilva said the company stood by its service. "Human error," he said, caused the certificate to be issued before vetting was complete. Still, "we think that issuing 2 certs out of 500k is still unacceptable," he said.
DeSilva denied earlier reports that VeriSign had discovered the breach only after Microsoft notified the company six weeks after the fact. An FBI investigation, he said, prevented him from being more specific.
The Microsoft imposter needed to pay for the certificates with a credit-card number, but VeriSign declined to say whose credit card he used. The imposter paid from $800 to several thousand dollars for the "code" certificates, estimated Rob Clyde, chief technologist in the Enterprise Solutions Division at Symantec, a supplier of security management software.
"The charge raises a deterrent to 19-year-old hackers," he noted. So, who went to the expense of buying the certificates, or the double exposure of stealing a credit card and then buying the certificates with it?
Others challenged VeriSigns and Microsofts inability to retract the erroneous certificates by posting them to a checkpoint for invalid certificates. Identrus, an alliance of 44 financial institutions, said certificates issued through its international framework each contain an embedded URL. An automatic check is made at the URL, which leads to the list of revoked certificates, said Guy Tallent, president of Identrus.
But the Windows platform doesnt always include an automatic checker of the Certificate Revocation List (CRL), so VeriSign cannot embed a distributed checkpoint in its Microsoft certificates, said Brian OHiggins, chief technology officer at Entrust. "Anyone can make a mistake, but you need a system that works with revocation" to correct a mistake, OHiggins said, emphasizing that his companys certificates include the embedded checklist information.
Using the CRL is not foolproof protection for certificates either, said Gary McGraw, chief scientist at Cigital, a security consulting firm.
Microsoft said it was working on a patch to recognize the now-revoked VeriSign certificates.
With such a patch, a user about to download code falsely labeled as Microsofts with the Jan. 29 or Jan. 30 certificates could be warned the certificate wasnt valid.
"People are buying trust from VeriSign. Something like this shakes it," Brady said.