Feeds

Thawte issues doppelganger certs warning

Deduping

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Digital certificate specialist Thawte has discovered that its systems have issued certificates with duplicate numbers over the last few months.

If one of the paired certificates is revoked the other will also be disavowed. Which is a pain. But essential encryption and security functions are not affected.

A technical rep for the South Africa-based security firm assured us that each private key obtained for a certificate is unique regardless of the certificate's serial number. We're thankfully not looking at a repeat of the incident two years ago when Verisign mistakenly issued a pair of digital certificates to scam artists in Microsoft's name.

Nonetheless there's a problem of trust here, which Thawte acknowledges, where a potential customer might potentially encounter problems verifying a site's credentials.

To its credit, Thawte has been proactive about notifying affected customers this afternoon by email. The issue came to light during a routine disaster recovery and internal audit operation last month.

Since then Thawte techies have been developing tools to help identify potential number conflicts, and assuring themselves that more serious problems were not afoot - which happily they aren't. Over the next two weeks Thawte will send out another email message with complete instructions for customers on the most straightforward way to obtain a free reissued certificate the company is offering.

And why did Thawte's systems issuing duplicate certificates in the first place?

Our man at Thawte said that since the firm was acquired by Verisign two different types of signing have been applied. He suggested this was the root cause of the problem, which he was keen to add, has since been fixed. ®

Thawte's customer notification email

Dear Customer,

Thawte's digital certificate issuance system assigns a serial number to each Thawte certificate that is issued. Recently, we discovered it was possible for the system to assign the same serial number to more than one Thawte certificate. Because we take all such matters very seriously, we immediately resolved the problem, and do not expect it to be an issue going forward.

However, we have learned that you are among the customers whose Thawte certificates contain a serial number associated with another certificate. It is important to note that your certificate's security functionality has not been compromised in any way. It still fully authenticates your specified entity and provides complete encryption. Similarly, the certificate validity status shown on the certificate itself (which can be accessed by double-clicking on the lock icon), as well as on the Thawte Site Seal, is absolutely correct and also unaffected.

There is a minor related issue that may require some action on your part. Essentially, it is possible for your certificate to be incorrectly listed as "revoked" on Thawte's Certificate Revocation List (CRL). While this does not affect the secure operation of your certificate, it nonetheless needs to be corrected so that your customers always know your certificate is valid and in good standing in every possible scenario.

Your customers are not likely to see any impact from the above mentioned CRL scenario, since current browser versions do not automatically validate the CRL by default. However, we strongly recommend you obtain a reissued certificate to completely eliminate any possibility now and for the future, where automatic validation may occur by default in future browser versions. During the next two weeks we will be sending you an email message with complete instructions to enable you to get your free reissued certificate in the quickest and most convenient way possible.

In the meantime, if you cannot wait for our invitation to reissue your certificate, and you would like to know the status of your Thawte certificate, please go to https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your certificate order number and follow the instructions.

If you would like more information, please go to http://www.thawte.com/serial_faq.html to view our Frequently Asked Questions or you can contact us via:

* email at certreissue@thawte.com

* log a ticket on https://www.thawte.com/cgi/support/contents.exe

* chat - click on the link at http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html

For additional questions or concerns, you can contact us via email at pr@thawte.com.

External Links

Frequently Asked Questions on Duplicate Serial Numbers, by Thawte
SSL.org - everything you've ever wanted to know about digital certificate but have been too frightened to ask

Related Stories

Microsoft vexed by falsified certs
DNS inventor calls for security overhaul
Mixed VeriSign results, closes unit
There's certs and certs - VeriSign badmouths rivals
RSA touts DIY certificates
Royal Mail pulls plug on ViaCode digital certificate

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.