Overview
Verisign offers a service entitled "Code Signing Digital ID for Microsoft Authenticode." Information that is submitted to this site is not transmitted via an SSL secured session, instead it is transmitted in the plain-text.
Description
Verisign offers a service entitled "Code Signing Digital ID for Microsoft Authenticode." A fee is charged for this service, and users can enter their credit card information to sign up. The site states that the information is transmitted via an SSL-secured session, but this does not appear to be the case. The link provided for this service begins with http:// rather than https:// indicating that a non-SSL HTTP session should be used. Therefore the data is transmitted in the plaintext. |
Impact
Subscribers to this service may transmit their credit card and other sensitive information over the Internet in plaintext. |
Solution
As of May 30, 2002, Verisign has corrected this problem on their web site, and no further user action is necessary. |
Change the http:// to https:// and verify that an SSL session has been established with your browser. The appropriate link should be similar to the following: |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by Daniel Norton
This document was written by Jason Rafail.
Other Information
| CVE IDs: | None |
| Date Public: | 2002-05-18 |
| Date First Published: | 2002-05-30 |
| Date Last Updated: | 2002-06-04 17:23 UTC |
| Document Revision: | 6 |