{"vuid":"VU#251339","idnumber":"251339","name":"Verisign transmits sensitive customer information in plain text when applying for a \"Code Signing Digital ID\"","keywords":["Verisign","sensitive customer information","plain text","Code Signing Digital ID"],"overview":"Verisign offers a service entitled \"Code Signing Digital ID for Microsoft Authenticode.\"  Information that is submitted to this site is not transmitted via an SSL secured session, instead it is transmitted in the plain-text.","clean_desc":"Verisign offers a service entitled \"Code Signing Digital ID for Microsoft Authenticode.\" A fee is charged for this service, and users can enter their credit card information to sign up. The site states that the information is transmitted via an SSL-secured session, but this does not appear to be the case. The link provided for this service begins with http:// rather than https:// indicating that a non-SSL HTTP session should be used. Therefore the data is transmitted in the plaintext.","impact":"Subscribers to this service may transmit their credit card and other sensitive information over the Internet in plaintext.","resolution":"As of May 30, 2002, Verisign has corrected this problem on their web site, and no further user action is necessary.","workarounds":"Change the http:// to https:// and verify that an SSL session has been established with your browser. The appropriate link should be similar to the following: https://digitalid.verisign.com/cgi-bin/haydn.exe?VHTML_FILE=developer/VSCclass3MSCSie4.htm&originator=$$pOriginator$$","sysaffected":"","thanks":"This vulnerability was reported by Daniel Norton <Daniel@DanielNorton.net>.","author":"This document was written by Jason Rafail.","public":[],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-05-21T20:04:39Z","publicdate":"2002-05-18T00:00:00Z","datefirstpublished":"2002-05-30T17:24:49Z","dateupdated":"2002-06-04T17:23:39Z","revision":6,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"3","cam_population":"0","cam_impact":"8","cam_easeofexploitation":"2","cam_attackeraccessrequired":"7","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.0,"vulnote":null}