I previously commented on Verisign's incredulity at the fact that the researchers who produced a phoney SSL certificate didn't put them in the loop prior to public disclosure of their research.
It appears this incredulity has produced a bit of a debate. I'm linking Rob Graham who weighed in the subject:
The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.
He links to a post from Alexander Sotirov who also took issue with Verisign's position:
In a recent post on his company blog, Verisign's vice president of marketing Tim Callan commented on the disclosure of our MD5 collision attack:
VeriSign did not receive any of [the] information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning.
I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans.
Callan responded in the thread on his blog.
Here are the facts as I understand them.
- The "trusted intermediary" was under a strict NDA with you and didn't feel it could reveal anything that was actually actionable or useful. Your NDA prevented the intermediary from telling us what would be announced, by whom, or when.
- You didn't invite us to view the presentation in person or on the webcast. Had VeriSign not discovered by other means that this presentation was coming, we may not have had the opportunity to hear what you had to say until after the fact.
- In addition to Microsoft and Mozilla, at a bare minimum you briefed The Washington Post, Wired Magazine, CNET, and IDG News Service prior to your announcement. You also briefed one or more active security bloggers. Based on the reports from these people, it appears that you obtained promises from them not to share with us either.
- You stood on stage in front of a room full of people and explained that you had actively sought to prevent us from finding out. You had a slide thanking the lawyers who helped you prevent us from finding out.
- VeriSign acquired the RapidSSL product line as part of its acquisition of GeoTrust in September of 2006. That's when we began our process of learning the code base and transitioning various technology decisions that had been made by the previous ownership, including moving off MD5. Therefore it gives an inaccurate impression to discuss 2004 as the starting date for mitigation of this vulnerability.
- VeriSign has a long history of treating ethical security researchers well and encouraging research of this sort. We've been public in our congratulation of the good work you did finding this flaw, and we took immediate action. Had we been briefed ahead of time, the flaw would have been inactive by the time you revealed it to the world.
Verisign was told that the researchers had achieved
the successful generation of colliding x509 certificates signed by real certificate authorities which still use MD5
RapidSSL and FreeSSL (also owned by Geotrust) use MD5 and are vulnerable to this attack
and they were told that this information was going public. I don't understand how knowing "who was presenting and when they were presenting" would effect the situation unless they didn't believe that the results were real, something that they didn't indicate in the email dialog. They had the technical information. What they didn't know is where to sue, which is exactly why they didn't know it. I don't find Verisign's position credible. How would knowing who and when help them react more quickly?
Errata Security: Versign's Bad Response to the MD5-SSL Crisis