Feeds

Thawte issues doppelganger certs warning

Deduping

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Digital certificate specialist Thawte has discovered that its systems have issued certificates with duplicate numbers over the last few months.

If one of the paired certificates is revoked the other will also be disavowed. Which is a pain. But essential encryption and security functions are not affected.

A technical rep for the South Africa-based security firm assured us that each private key obtained for a certificate is unique regardless of the certificate's serial number. We're thankfully not looking at a repeat of the incident two years ago when Verisign mistakenly issued a pair of digital certificates to scam artists in Microsoft's name.

Nonetheless there's a problem of trust here, which Thawte acknowledges, where a potential customer might potentially encounter problems verifying a site's credentials.

To its credit, Thawte has been proactive about notifying affected customers this afternoon by email. The issue came to light during a routine disaster recovery and internal audit operation last month.

Since then Thawte techies have been developing tools to help identify potential number conflicts, and assuring themselves that more serious problems were not afoot - which happily they aren't. Over the next two weeks Thawte will send out another email message with complete instructions for customers on the most straightforward way to obtain a free reissued certificate the company is offering.

And why did Thawte's systems issuing duplicate certificates in the first place?

Our man at Thawte said that since the firm was acquired by Verisign two different types of signing have been applied. He suggested this was the root cause of the problem, which he was keen to add, has since been fixed. ®

Thawte's customer notification email

Dear Customer,

Thawte's digital certificate issuance system assigns a serial number to each Thawte certificate that is issued. Recently, we discovered it was possible for the system to assign the same serial number to more than one Thawte certificate. Because we take all such matters very seriously, we immediately resolved the problem, and do not expect it to be an issue going forward.

However, we have learned that you are among the customers whose Thawte certificates contain a serial number associated with another certificate. It is important to note that your certificate's security functionality has not been compromised in any way. It still fully authenticates your specified entity and provides complete encryption. Similarly, the certificate validity status shown on the certificate itself (which can be accessed by double-clicking on the lock icon), as well as on the Thawte Site Seal, is absolutely correct and also unaffected.

There is a minor related issue that may require some action on your part. Essentially, it is possible for your certificate to be incorrectly listed as "revoked" on Thawte's Certificate Revocation List (CRL). While this does not affect the secure operation of your certificate, it nonetheless needs to be corrected so that your customers always know your certificate is valid and in good standing in every possible scenario.

Your customers are not likely to see any impact from the above mentioned CRL scenario, since current browser versions do not automatically validate the CRL by default. However, we strongly recommend you obtain a reissued certificate to completely eliminate any possibility now and for the future, where automatic validation may occur by default in future browser versions. During the next two weeks we will be sending you an email message with complete instructions to enable you to get your free reissued certificate in the quickest and most convenient way possible.

In the meantime, if you cannot wait for our invitation to reissue your certificate, and you would like to know the status of your Thawte certificate, please go to https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your certificate order number and follow the instructions.

If you would like more information, please go to http://www.thawte.com/serial_faq.html to view our Frequently Asked Questions or you can contact us via:

* email at certreissue@thawte.com

* log a ticket on https://www.thawte.com/cgi/support/contents.exe

* chat - click on the link at http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html

For additional questions or concerns, you can contact us via email at pr@thawte.com.

External Links

Frequently Asked Questions on Duplicate Serial Numbers, by Thawte
SSL.org - everything you've ever wanted to know about digital certificate but have been too frightened to ask

Related Stories

Microsoft vexed by falsified certs
DNS inventor calls for security overhaul
Mixed VeriSign results, closes unit
There's certs and certs - VeriSign badmouths rivals
RSA touts DIY certificates
Royal Mail pulls plug on ViaCode digital certificate

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.