Thawte issues doppelganger certs warning

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/31808.html

By John Leyden
Posted: 17/07/2003 

Digital certificate specialist Thawte has discovered that its systems 
have issued certificates with duplicate numbers over the last few 
months. 

If one of the paired certificates is revoked the other will also be 
disavowed. Which is a pain. But essential encryption and security 
functions are not affected. 

A technical rep for the South Africa-based security firm assured us 
that each private key obtained for a certificate is unique regardless 
of the certificate's serial number. We're thankfully not looking at a 
repeat of the incident two years ago when Verisign mistakenly issued a 
pair of digital certificates to scam artists in Microsoft's name. 

Nonetheless there's a problem of trust here, which Thawte 
acknowledges, where a potential customer might potentially encounter 
problems verifying a site's credentials. 

To its credit, Thawte has been proactive about notifying affected 
customers this afternoon by email. The issue came to light during a 
routine disaster recovery and internal audit operation last month. 

Since then Thawte techies have been developing tools to help identify 
potential number conflicts, and assuring themselves that more serious 
problems were not afoot - which happily they aren't. Over the next two 
weeks Thawte will send out another email message with complete 
instructions for customers on the most straightforward way to obtain a 
free reissued certificate the company is offering. 

And why did Thawte's systems issuing duplicate certificates in the 
first place? 

Our man at Thawte said that since the firm was acquired by Verisign 
two different types of signing have been applied. He suggested this 
was the root cause of the problem, which he was keen to add, has since 
been fixed.

-=-

Thawte's customer notification email 

Dear Customer, 

Thawte's digital certificate issuance system assigns a serial number 
to each Thawte certificate that is issued. Recently, we discovered it 
was possible for the system to assign the same serial number to more 
than one Thawte certificate. Because we take all such matters very 
seriously, we immediately resolved the problem, and do not expect it 
to be an issue going forward. 

However, we have learned that you are among the customers whose Thawte 
certificates contain a serial number associated with another 
certificate. It is important to note that your certificate's security 
functionality has not been compromised in any way. It still fully 
authenticates your specified entity and provides complete encryption. 
Similarly, the certificate validity status shown on the certificate 
itself (which can be accessed by double-clicking on the lock icon), as 
well as on the Thawte Site Seal, is absolutely correct and also 
unaffected. 

There is a minor related issue that may require some action on your 
part. Essentially, it is possible for your certificate to be 
incorrectly listed as "revoked" on Thawte's Certificate Revocation 
List (CRL). While this does not affect the secure operation of your 
certificate, it nonetheless needs to be corrected so that your 
customers always know your certificate is valid and in good standing 
in every possible scenario. 

Your customers are not likely to see any impact from the above 
mentioned CRL scenario, since current browser versions do not 
automatically validate the CRL by default. However, we strongly 
recommend you obtain a reissued certificate to completely eliminate 
any possibility now and for the future, where automatic validation may 
occur by default in future browser versions. During the next two weeks 
we will be sending you an email message with complete instructions to 
enable you to get your free reissued certificate in the quickest and 
most convenient way possible. 

In the meantime, if you cannot wait for our invitation to reissue your 
certificate, and you would like to know the status of your Thawte 
certificate, please go to 
https://www.thawte.com/cgi/server/checkDuplicateSerials.exe with your 
certificate order number and follow the instructions. 

If you would like more information, please go to 
http://www.thawte.com/serial_faq.html to view our Frequently Asked 
Questions or you can contact us via: 

* email at certreissue () thawte com 

* log a ticket on https://www.thawte.com/cgi/support/contents.exe 

* chat - click on the link at 
http://www.thawte.com/html/SUPPORT/popups/contactsSUPPORT.html 

For additional questions or concerns, you can contact us via email at 
pr () thawte com. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.