[ISN] Thawte issues doppelganger certs warning

From: InfoSec News (isnat_private)
Date: Fri Jul 18 2003 - 00:54:46 PDT

  • Next message: InfoSec News: "[ISN] Disk clone tells all on Bali suspect"

    http://www.theregister.co.uk/content/55/31808.html
    
    By John Leyden
    Posted: 17/07/2003 
    
    Digital certificate specialist Thawte has discovered that its systems 
    have issued certificates with duplicate numbers over the last few 
    months. 
    
    If one of the paired certificates is revoked the other will also be 
    disavowed. Which is a pain. But essential encryption and security 
    functions are not affected. 
    
    A technical rep for the South Africa-based security firm assured us 
    that each private key obtained for a certificate is unique regardless 
    of the certificate's serial number. We're thankfully not looking at a 
    repeat of the incident two years ago when Verisign mistakenly issued a 
    pair of digital certificates to scam artists in Microsoft's name. 
    
    Nonetheless there's a problem of trust here, which Thawte 
    acknowledges, where a potential customer might potentially encounter 
    problems verifying a site's credentials. 
    
    To its credit, Thawte has been proactive about notifying affected 
    customers this afternoon by email. The issue came to light during a 
    routine disaster recovery and internal audit operation last month. 
    
    Since then Thawte techies have been developing tools to help identify 
    potential number conflicts, and assuring themselves that more serious 
    problems were not afoot - which happily they aren't. Over the next two 
    weeks Thawte will send out another email message with complete 
    instructions for customers on the most straightforward way to obtain a 
    free reissued certificate the company is offering. 
    
    And why did Thawte's systems issuing duplicate certificates in the 
    first place? 
    
    Our man at Thawte said that since the firm was acquired by Verisign 
    two different types of signing have been applied. He suggested this 
    was the root cause of the problem, which he was keen to add, has since 
    been fixed.
    
    -=-
    
    Thawte's customer notification email 
    
    Dear Customer, 
    
    Thawte's digital certificate issuance system assigns a serial number 
    to each Thawte certificate that is issued. Recently, we discovered it 
    was possible for the system to assign the same serial number to more 
    than one Thawte certificate. Because we take all such matters very 
    seriously, we immediately resolved the problem, and do not expect it 
    to be an issue going forward. 
    
    However, we have learned that you are among the customers whose Thawte 
    certificates contain a serial number associated with another 
    certificate. It is important to note that your certificate's security 
    functionality has not been compromised in any way. It still fully 
    authenticates your specified entity and provides complete encryption. 
    Similarly, the certificate validity status shown on the certificate 
    itself (which can be accessed by double-clicking on the lock icon), as 
    well as on the Thawte Site Seal, is absolutely correct and also 
    unaffected. 
    
    There is a minor related issue that may require some action on your 
    part. Essentially, it is possible for your certificate to be 
    incorrectly listed as "revoked" on Thawte's Certificate Revocation 
    List (CRL). While this does not affect the secure operation of your 
    certificate, it nonetheless needs to be corrected so that your 
    customers always know your certificate is valid and in good standing 
    in every possible scenario. 
    
    Your customers are not likely to see any impact from the above 
    mentioned CRL scenario, since current browser versions do not 
    automatically validate the CRL by default. However, we strongly 
    recommend you obtain a reissued certificate to completely eliminate 
    any possibility now and for the future, where automatic validation may 
    occur by default in future browser versions. During the next two weeks 
    we will be sending you an email message with complete instructions to 
    enable you to get your free reissued certificate in the quickest and 
    most convenient way possible. 
    
    In the meantime, if you cannot wait for our invitation to reissue your 
    certificate, and you would like to know the status of your Thawte 
    certificate, please go to 
    https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your 
    certificate order number and follow the instructions. 
    
    If you would like more information, please go to 
    http://www.thawte.com/serial_faq.html to view our Frequently Asked 
    Questions or you can contact us via: 
    
    * email at certreissueat_private 
    
    * log a ticket on https://www.thawte.com/cgi/support/contents.exe 
    
    * chat - click on the link at 
    http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html 
    
    For additional questions or concerns, you can contact us via email at 
    prat_private 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 03:54:01 PDT