Feeds

Thawte issues doppelganger certs warning

Deduping

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Digital certificate specialist Thawte has discovered that its systems have issued certificates with duplicate numbers over the last few months.

If one of the paired certificates is revoked the other will also be disavowed. Which is a pain. But essential encryption and security functions are not affected.

A technical rep for the South Africa-based security firm assured us that each private key obtained for a certificate is unique regardless of the certificate's serial number. We're thankfully not looking at a repeat of the incident two years ago when Verisign mistakenly issued a pair of digital certificates to scam artists in Microsoft's name.

Nonetheless there's a problem of trust here, which Thawte acknowledges, where a potential customer might potentially encounter problems verifying a site's credentials.

To its credit, Thawte has been proactive about notifying affected customers this afternoon by email. The issue came to light during a routine disaster recovery and internal audit operation last month.

Since then Thawte techies have been developing tools to help identify potential number conflicts, and assuring themselves that more serious problems were not afoot - which happily they aren't. Over the next two weeks Thawte will send out another email message with complete instructions for customers on the most straightforward way to obtain a free reissued certificate the company is offering.

And why did Thawte's systems issuing duplicate certificates in the first place?

Our man at Thawte said that since the firm was acquired by Verisign two different types of signing have been applied. He suggested this was the root cause of the problem, which he was keen to add, has since been fixed. ®

Thawte's customer notification email

Dear Customer,

Thawte's digital certificate issuance system assigns a serial number to each Thawte certificate that is issued. Recently, we discovered it was possible for the system to assign the same serial number to more than one Thawte certificate. Because we take all such matters very seriously, we immediately resolved the problem, and do not expect it to be an issue going forward.

However, we have learned that you are among the customers whose Thawte certificates contain a serial number associated with another certificate. It is important to note that your certificate's security functionality has not been compromised in any way. It still fully authenticates your specified entity and provides complete encryption. Similarly, the certificate validity status shown on the certificate itself (which can be accessed by double-clicking on the lock icon), as well as on the Thawte Site Seal, is absolutely correct and also unaffected.

There is a minor related issue that may require some action on your part. Essentially, it is possible for your certificate to be incorrectly listed as "revoked" on Thawte's Certificate Revocation List (CRL). While this does not affect the secure operation of your certificate, it nonetheless needs to be corrected so that your customers always know your certificate is valid and in good standing in every possible scenario.

Your customers are not likely to see any impact from the above mentioned CRL scenario, since current browser versions do not automatically validate the CRL by default. However, we strongly recommend you obtain a reissued certificate to completely eliminate any possibility now and for the future, where automatic validation may occur by default in future browser versions. During the next two weeks we will be sending you an email message with complete instructions to enable you to get your free reissued certificate in the quickest and most convenient way possible.

In the meantime, if you cannot wait for our invitation to reissue your certificate, and you would like to know the status of your Thawte certificate, please go to https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your certificate order number and follow the instructions.

If you would like more information, please go to http://www.thawte.com/serial_faq.html to view our Frequently Asked Questions or you can contact us via:

* email at certreissue@thawte.com

* log a ticket on https://www.thawte.com/cgi/support/contents.exe

* chat - click on the link at http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html

For additional questions or concerns, you can contact us via email at pr@thawte.com.

External Links

Frequently Asked Questions on Duplicate Serial Numbers, by Thawte
SSL.org - everything you've ever wanted to know about digital certificate but have been too frightened to ask

Related Stories

Microsoft vexed by falsified certs
DNS inventor calls for security overhaul
Mixed VeriSign results, closes unit
There's certs and certs - VeriSign badmouths rivals
RSA touts DIY certificates
Royal Mail pulls plug on ViaCode digital certificate

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.