Verisign has now removed the “Revoke” button while still publicly denying there was ever a vulnerability.
As can be seen in the pdf attached in the post made in our Comodo forums, the Revoke button that existed previously, has been removed.
Unfortunately, there are no winners here. Verisign loses, and Comodo loses. The way that Verisign handled the whole affair is irresponsible and damaging to the industry in my opinion. I hope they can learn from this.
The whole thing could have been avoided, if they simply acknowledged that there was an issue when we reported and did something to fix it.
So far we know that after we went public:
Verisign has changed their server settings so that Google doesn’t index these security pages
Verisign has removed the “revoke” button from these security pages
Verisign has asked Google to delete these entries from their database.
Every single one of these actions could have been done when we contacted Verisign early last week and the whole fiasco could have been avoided. They forced Comodo to go public before they reacted to the vulnerabilities reported.
All these are positive moves in the right direction, although a bit late and unnecessarily public and after they claimed there was no issue, which makes them look not so with it. However, the most important factor is their customers, some of which are major banks. We do not know if they contacted their customers and ask them to verify if there was any breach or not in their security or if that resulted in any Compliancy breach. I believe they should inform their customers who used this service so that they can check to see if there was a breach or not.
Verisign: Trying to keep things quite is NOT the way to deal with these kind of situations.. You are NOT an ostrich..do not bury your head in the sand for god sake!!!
We compete at business level, but we share the same industry! It is NOT in anyone’s interest for anyone in the industry to get a bad name. Stop acting irressponsibly and start working with your Industry Partners!
After all said and done, Verisign is a respectable company and their Authentication division is in good hands with Symantec. I just hope they learn from this experience for the sake of the authentication industry.
Melih