Feeds

Thawte issues doppelganger certs warning

Deduping

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Digital certificate specialist Thawte has discovered that its systems have issued certificates with duplicate numbers over the last few months.

If one of the paired certificates is revoked the other will also be disavowed. Which is a pain. But essential encryption and security functions are not affected.

A technical rep for the South Africa-based security firm assured us that each private key obtained for a certificate is unique regardless of the certificate's serial number. We're thankfully not looking at a repeat of the incident two years ago when Verisign mistakenly issued a pair of digital certificates to scam artists in Microsoft's name.

Nonetheless there's a problem of trust here, which Thawte acknowledges, where a potential customer might potentially encounter problems verifying a site's credentials.

To its credit, Thawte has been proactive about notifying affected customers this afternoon by email. The issue came to light during a routine disaster recovery and internal audit operation last month.

Since then Thawte techies have been developing tools to help identify potential number conflicts, and assuring themselves that more serious problems were not afoot - which happily they aren't. Over the next two weeks Thawte will send out another email message with complete instructions for customers on the most straightforward way to obtain a free reissued certificate the company is offering.

And why did Thawte's systems issuing duplicate certificates in the first place?

Our man at Thawte said that since the firm was acquired by Verisign two different types of signing have been applied. He suggested this was the root cause of the problem, which he was keen to add, has since been fixed. ®

Thawte's customer notification email

Dear Customer,

Thawte's digital certificate issuance system assigns a serial number to each Thawte certificate that is issued. Recently, we discovered it was possible for the system to assign the same serial number to more than one Thawte certificate. Because we take all such matters very seriously, we immediately resolved the problem, and do not expect it to be an issue going forward.

However, we have learned that you are among the customers whose Thawte certificates contain a serial number associated with another certificate. It is important to note that your certificate's security functionality has not been compromised in any way. It still fully authenticates your specified entity and provides complete encryption. Similarly, the certificate validity status shown on the certificate itself (which can be accessed by double-clicking on the lock icon), as well as on the Thawte Site Seal, is absolutely correct and also unaffected.

There is a minor related issue that may require some action on your part. Essentially, it is possible for your certificate to be incorrectly listed as "revoked" on Thawte's Certificate Revocation List (CRL). While this does not affect the secure operation of your certificate, it nonetheless needs to be corrected so that your customers always know your certificate is valid and in good standing in every possible scenario.

Your customers are not likely to see any impact from the above mentioned CRL scenario, since current browser versions do not automatically validate the CRL by default. However, we strongly recommend you obtain a reissued certificate to completely eliminate any possibility now and for the future, where automatic validation may occur by default in future browser versions. During the next two weeks we will be sending you an email message with complete instructions to enable you to get your free reissued certificate in the quickest and most convenient way possible.

In the meantime, if you cannot wait for our invitation to reissue your certificate, and you would like to know the status of your Thawte certificate, please go to https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your certificate order number and follow the instructions.

If you would like more information, please go to http://www.thawte.com/serial_faq.html to view our Frequently Asked Questions or you can contact us via:

* email at certreissue@thawte.com

* log a ticket on https://www.thawte.com/cgi/support/contents.exe

* chat - click on the link at http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html

For additional questions or concerns, you can contact us via email at pr@thawte.com.

External Links

Frequently Asked Questions on Duplicate Serial Numbers, by Thawte
SSL.org - everything you've ever wanted to know about digital certificate but have been too frightened to ask

Related Stories

Microsoft vexed by falsified certs
DNS inventor calls for security overhaul
Mixed VeriSign results, closes unit
There's certs and certs - VeriSign badmouths rivals
RSA touts DIY certificates
Royal Mail pulls plug on ViaCode digital certificate

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.