I previously commented on Verisign's incredulity at the fact that the researchers who produced a phoney SSL certificate didn't put them in the loop prior to public disclosure of their research.

It appears this incredulity has produced a bit of a debate. I'm linking Rob Graham who weighed in the subject:

The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.

He links to a post from Alexander Sotirov who also took issue with Verisign's position:

In a recent post on his company blog, Verisign's vice president of marketing Tim Callan commented on the disclosure of our MD5 collision attack:

VeriSign did not receive any of [the] information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning.

I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans.

Callan responded in the thread on his blog.

Here are the facts as I understand them.

- The "trusted intermediary" was under a strict NDA with you and didn't feel it could reveal anything that was actually actionable or useful. Your NDA prevented the intermediary from telling us what would be announced, by whom, or when.

- You didn't invite us to view the presentation in person or on the webcast. Had VeriSign not discovered by other means that this presentation was coming, we may not have had the opportunity to hear what you had to say until after the fact.

- In addition to Microsoft and Mozilla, at a bare minimum you briefed The Washington Post, Wired Magazine, CNET, and IDG News Service prior to your announcement. You also briefed one or more active security bloggers. Based on the reports from these people, it appears that you obtained promises from them not to share with us either.

- You stood on stage in front of a room full of people and explained that you had actively sought to prevent us from finding out. You had a slide thanking the lawyers who helped you prevent us from finding out.

- VeriSign acquired the RapidSSL product line as part of its acquisition of GeoTrust in September of 2006. That's when we began our process of learnin... [ Read More (0.2k in body) ]

This whole situation is quite interesting to me. Several years ago I gave a talk at PhreakNIC about how security researchers can make themselves a hard target to silence. Ironically, the video recorder malfunctioned about an hour before my talk, so there isn't a record of it.

From the looks of it, these guys planned this out well.. Verisign is just spinning this so they don't look like idiots. Don't see a valid argument that the security researchers were in any way unethical. I think concerns about Verisign attempting to obtain some kind of prior restraint on the researchers was completely warranted. Beyond that, given that the problem could be fixed long before their research could be replicated, no actual vulnerability was created by their disclosure.

Here is more information and commentary from Decius:

I previously commented on Verisign's incredulity at the fact that the researchers who produced a phoney SSL certificate didn't put them in the loop prior to public disclosure of their research.

It appears this incredulity has produced a bit of a debate. I'm linking Rob Graham who weighed in the subject:

The researchers behaved perfectly and responsibly. Their worry about being suppressed was justified, and their secrecy was an appropriate response. The very fact that Versign could quickly fix the problem in a day, but malicious hackers would need at least a month to replicate the feat, means that notifying Verisign ahead of time wasn't needed.

He links to a post from Alexander Sotirov who also took issue with Verisign's position:

In a recent post on his company blog, Verisign's vice president of marketing Tim Callan commented on the disclosure of our MD5 collision attack:

VeriSign did not receive any of [the] information ahead of the actual presentation, rendering it impossible for us to begin work on mitigating this issue prior to this morning.

I feel that this statement is inaccurate. Not only did we contact Verisign before our presentation to let them know about our research, we also strongly advised them to stop using MD5 as soon as possible and were given a chance to review their mitigation plans.

Callan responded in the thread on his blog.

Here are the facts as I understand them.

- The "trusted intermediary" was under a strict NDA with you and didn't feel it could reveal anything that was actually actionable or useful. Your NDA prevented the intermediary from telling us what would be announced, by whom, or when.

- You... [ Read More (0.3k in body) ]