Is VeriSign's New Security Seal Too Trusting?

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Wed, 12 Nov 2003 15:58:24 -0800
From: CircleID Network <info () circleid com>
Subject: Is VeriSign's New Security Seal Too Trusting?
To: dave () farber net

Dave,

A report by Justin Everett-Church has revealed a potentially serious flaw
with VeriSign's new jazzed up Seal that uses Flash instead of the previous
GIF image:

"On November 4, 2003, VeriSign announced a new "trust enhancing" seal which
they built using Macromedia's Flash technology...While there are problems
inherent to VeriSign's approach that call into question their understanding
of "The Value of Trust," there are ways they could have made this particular
implementation less trivially spoofable. The flaws I demonstrate on this
page are flaws in the concept and the execution rather than anything
inherently flawed in Flash. Overall this kind of graphical "trustmark" is
extremely easy to forge just by recreating the artwork. But in this case,
you don't even have to do that. The seal can still be called directly off
the VeriSign servers, yet it is easily modified, without recreating artwork,
and without doing anything untoward with VeriSign's servers!"

Related Links:
- http://www.circleid.com/article/372_0_1_0_C/
- http://www.verisign.com/corporate/news/2003/pr_20031104.html

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/