This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

If You Can't Trust Microsoft ...

Mar 23 2001 12:00 AM PST

... can you perhaps trust VeriSign (VRSN)? It appears not. The certificate authority admitted it issued two certificates to someone posing as a Microsoft (MSFT) employee. Lots of outlets reported what VeriSign and Microsoft had to say about the incident - and what customers could do to avoid running malevolent code - but few reporters were asking the hard questions.

VeriSign VP Mahi deSilva, quoted in almost all of the coverage, took full responsibility for the snafu, saying that an employee had not followed all of the company's established procedures. (The San Jose Mercury News relayed a security analyst's quip: "Cryptography and digital certificates would work wonderfully if humans weren't involved.") DeSilva carefully did not imply that Microsoft should bear any responsibility for the gaping security hole, even when explaining to CNET that "it took a while for the feedback loop from (Microsoft) to get back to us." He told the AP that VeriSign caught the error "almost immediately" during normal auditing. Apparently the reporter didn't ask if deSilva defined "immediately" as "five weeks later."

Microsoft issued a security bulletin detailing the hoops that customers of any Windows operating system should jump through to make sure they don't run evil code. (Microsoft is working on patches for all systems since Windows 95, but they are not available yet.) InternetNews was one of the few outlets to detail all the precautions that Microsoft suggested. Yet the reporter did not ask a Microsoft spokesman whether it is reasonable to place this burden on its users.

VeriSign has revoked the two bad certificates. But Microsoft's bulletin noted that VeriSign certificates don't allow for the use of the company's own revocation list. Posters on Slashdot pointed out that the reason VeriSign did not activate this capability is that Microsoft's browsers - and most others as well - don't contain code to check any revocation list.

The New York Times' John Markoff came closer than most other reporters to asking embarrassing questions about who, exactly, bore responsibility for exposing users to dangerous code. Markoff quoted a security expert who tried to sort out the blame: "These trust issues are slippery because you, the consumer, don't realize when you're trusting Microsoft you're actually trusting VeriSign's certification procedures."

Microsoft Victim of Another Security Attack
The Industry Standard

Microsoft Issues Alert About Digital Security Breach
San Jose Mercury News

Consumers Warned of Hijacked Code

Fraudulent Digital Certificates Issued in Microsoft's Name

Warning From Microsoft on False Digital Signatures
New York Times
(Registration required.)

Microsoft Digital Certificate Gets Stolen

Don't Trust Code Signed by 'Microsoft Corporation'

Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard
Microsoft Product Support Services

How to Recognize Erroneously Issued VeriSign Code-Signing Certificates
Microsoft Product Support Services