Q: These researchers have discussed their desire to maintain secrecy so that the hammer of legal action couldn't be used to prevent publication. Does VeriSign intend to sue these researchers?This is not true. A white-hat organization is no more likely to behave responsibly than any other company.
A: Security researchers who behave ethically have no reason to fear legal action from VeriSign. Since its inception VeriSign has been one of the world's leading forces for online security, and the company has consistently used its resources and expertise to assist online security's progress. In fact, VeriSign is itself a white-hat security research firm …, and we understand the concept of "ethical hacking." We're disappointed that these researchers did not share their results with us earlier, but we're happy to report that we have completely mitigated this attack.
I was Mike Lynn's co-worker during the Cisco scandal. You would assume that since Cisco is a "white-hat" company, they would not threaten Mike Lynn, but they did.
Errata Security gave a presentation a couple years ago about TippingPoint vulnerabilities. You would assume that since TippingPoint also is a white-hat organization, that that wouldn't repress researchers, but they did. We got a lot of pressure to cancel the talk, including the FBI showing up at our offices threatening us.
The problem with both Cisco and TippingPoint is not with the "organization" but with "individuals". In both cases, individuals made bad decisions. It is easy for individuals to delude themselves into thinking that their case is special, that the ethical rules don't apply to them. Unless there is a strong leader to squash them, they will go off the rails and do something bad. In Cisco's case, for example, their CSO was on vacation; had he been at work during the crisis, chances are good that he wouldn't have allowed Cisco to behave badly.
Tim Callan's blog does not fill me with confidence. This is the worst possible failure Verisign could have, short of public disclosure of their private keys. Callan isn't demonstrating that Verisign understands the gravity of the situation. He is instead spinning the situation, making Verisign look good and the researchers look bad. He is not behaving as a white-hat organizations should behave. If he is willing to attack the researchers AFTER the fact, what guarantee do we have that he wouldn't have attacked the researchers BEFORE the presentation?
The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.
UPDATE: Adam Shostack points out this Wired blog which says:
Callan confirms Versign was contacted by Microsoft, but he says the NDA prevented the software-maker from providing any meaningful details on the threat. "We're a little frustrated at Verisign that we seem to be the only people not briefed on this," he says.
I'm not sure what "meaningful details" Verisign needed. We guessed the meaningful details only from the public data, although we made the mistake of assuming that Versign wasn't stupid enough to still be using MD5, and therefore guessed that it was a botnet running 6 months attacking SHA-1 (rather than 200 PS3 running a couple of days).
That article also quotes him:
"All the information that we have is that MD5 is not any kind of significant or meaningful risk today," Callan adds.It's been a meaningful risk since 2005. The moment the first MD5 hash collision became public, Verisign should have moved quickly to stop using MD5. Callan has a reasonable argument that it takes time to stop using MD5, but 4 years was much more than they needed. They should have also fixed the fact that they are vulnerable to hash collisions (which, apparently, Verisign is still vulnerable to, but only the NSA has the resources to actually exploit this at the moment).
UPDATE: It gets worse. Verisign was notified of the full details. Tim Callan lied. Versign was notified of "successful generation of colliding x509 certificates signed by real certificate authorities which still use MD5" and "that RapidSSL and FreeSSL (also owned by Geotrust) use MD5 and are vulnerable to this attack".