Friday, January 02, 2009

Versign's Bad Response to the MD5-SSL Crisis

I'm reading this blog by Verisign in response to the MD5-SSL problem (which is mostly Verisign's fault). I'm amused by this item:
Q: These researchers have discussed their desire to maintain secrecy so that the hammer of legal action couldn't be used to prevent publication. Does VeriSign intend to sue these researchers?
A: Security researchers who behave ethically have no reason to fear legal action from VeriSign. Since its inception VeriSign has been one of the world's leading forces for online security, and the company has consistently used its resources and expertise to assist online security's progress. In fact, VeriSign is itself a white-hat security research firm …, and we understand the concept of "ethical hacking." We're disappointed that these researchers did not share their results with us earlier, but we're happy to report that we have completely mitigated this attack.
This is not true. A white-hat organization is no more likely to behave responsibly than any other company.

I was Mike Lynn's co-worker during the Cisco scandal. You would assume that since Cisco is a "white-hat" company, they would not threaten Mike Lynn, but they did.

Errata Security gave a presentation a couple years ago about TippingPoint vulnerabilities. You would assume that since TippingPoint also is a white-hat organization, that that wouldn't repress researchers, but they did. We got a lot of pressure to cancel the talk, including the FBI showing up at our offices threatening us.

The problem with both Cisco and TippingPoint is not with the "organization" but with "individuals". In both cases, individuals made bad decisions. It is easy for individuals to delude themselves into thinking that their case is special, that the ethical rules don't apply to them. Unless there is a strong leader to squash them, they will go off the rails and do something bad. In Cisco's case, for example, their CSO was on vacation; had he been at work during the crisis, chances are good that he wouldn't have allowed Cisco to behave badly.

Tim Callan's blog does not fill me with confidence. This is the worst possible failure Verisign could have, short of public disclosure of their private keys. Callan isn't demonstrating that Verisign understands the gravity of the situation. He is instead spinning the situation, making Verisign look good and the researchers look bad. He is not behaving as a white-hat organizations should behave. If he is willing to attack the researchers AFTER the fact, what guarantee do we have that he wouldn't have attacked the researchers BEFORE the presentation?

The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.

UPDATE: Adam Shostack points out this Wired blog which says:
Callan confirms Versign was contacted by Microsoft, but he says the NDA prevented the software-maker from providing any meaningful details on the threat. "We're a little frustrated at Verisign that we seem to be the only people not briefed on this," he says.

I'm not sure what "meaningful details" Verisign needed. We guessed the meaningful details only from the public data, although we made the mistake of assuming that Versign wasn't stupid enough to still be using MD5, and therefore guessed that it was a botnet running 6 months attacking SHA-1 (rather than 200 PS3 running a couple of days).

That article also quotes him:
"All the information that we have is that MD5 is not any kind of significant or meaningful risk today," Callan adds.
It's been a meaningful risk since 2005. The moment the first MD5 hash collision became public, Verisign should have moved quickly to stop using MD5. Callan has a reasonable argument that it takes time to stop using MD5, but 4 years was much more than they needed. They should have also fixed the fact that they are vulnerable to hash collisions (which, apparently, Verisign is still vulnerable to, but only the NSA has the resources to actually exploit this at the moment).

UPDATE: It gets worse. Verisign was notified of the full details. Tim Callan lied. Versign was notified of "successful generation of colliding x509 certificates signed by real certificate authorities which still use MD5" and "that RapidSSL and FreeSSL (also owned by Geotrust) use MD5 and are vulnerable to this attack".
http://www.phreedom.org/blog/2009/verisign-and-responsible-disclosure/

2 comments:

bjbz said...

I agree. Verisign's reaction to this was pretty sleazy. They focused more on protecting their brand than on protecting Internet users. They tried to spin things in the press, seemingly with the goal to shift the blame onto the researchers, to try to avoid giving the researchers any credit, and to try to take credit for themselves. Tim Callan at Verisign also made some demonstrably false statements.

This is highly disappointing and undermines my trust in Verisign, and is a spit in the face to security researchers everywhere. I don't blame Sotirov et al for being very careful about their interactions with Verisign; after this experience, I'd say they were entirely justified in doing so, as I can't really say that Verisign approached this in good faith.

For further information, look here:

http://www.phreedom.org/blog/2009/verisign-and-responsible-disclosure/

https://blogs.verisign.com/ssl-blog/2008/12/on_md5_vulnerabilities_and_mit.php

(But be careful with the latter URL; the comments there are moderated by Tim Callan, who has an obvious interest in avoiding comments that are critical of Verisign, and there's no way to tell what filtering he might be applying to those comments.)

P.S. Any chance you could enable anonymous comments, particularly on contentious subjects like this? Doesn't Blogger have a way to support comments from anonymous posters if they fill in a CAPTCHA?

HashHack said...

I completely agree with bjbz about Verisigns reaction - Md5 has been known to be insecure for a long time - this is why i created my Online MD5 Cracker to put pressure on the industry, it has over 21 million hashes online, worth a look if your interested in cryptography.

Great blog keep up the good work