Discovered just last week, the serious vulnerability affects encryption key pairs generated with specific Debian versions of the Linux operating system and allows hackers to view encrypted transaction data and potentially steal consumers' passwords, financial account and credit card numbers and Social Security numbers.
Although the roots and intermediate roots used by VeriSign's SSL, code signing and client certificate brands -- VeriSign, GeoTrust, thawte and RapidSSL -- are unaffected by the security flaw, some customers using any of the four certificate brands may have used one of the compromised Linux OS versions to generate key pairs for the individual certificates they employ. This may make those customers' authentication, encryption, and digital signing transactions vulnerable to hackers.
In the interest of ensuring continued protection for all online transactions involving customers of VeriSign or its other certificate brands, the company today announced that it will revoke and replace any SSL, code signing or client certificate free of charge. Companies employing SSL from VeriSign can investigate their own certificate and cryptographic practices and replace any required certificates directly from VeriSign. The free program will remain in force through June 30, 2008.
The flaw applies to all software applications using key pairs generated on versions of the Debian operating system and its derivatives (such as Ubuntu) released between Sept. 17, 2006 and May 12, 2008. Although responsibility for the security flaw rests with vendors of those Linux OS versions, it is up to individual site operators to make sure they install recently issued patches that fix the vulnerability and subsequently replace flawed SSL Certificates with safe ones.
"While there's no fundamental vulnerability that exists inside VeriSign, GeoTrust, thawte or RapidSSL Certificates, VeriSign recognizes that a secure Internet is essential to the success of online commerce," said Chris Babel, senior vice president, SSL, VeriSign. "For that reason we're initiating this effort to replace any questionable SSL Certificate free of charge. Any unsafe certificate requires immediate replacement, and online businesses have no time to lose. We encourage them to take action as soon as possible."
Babel added, "For the continued security of online business worldwide, we recommend that owners of other brands of certificates scrutinize them immediately to determine whether or not the certificates are safe for continued use. Likewise, we recommend the immediate investigation of all self-signed CAs for similar vulnerability. Site operators should contact the CA to determine if its trusted roots and intermediates were issued off Debian or derivative operating systems. If the CA's roots prove to be compromised by this security flaw, the recommended practice is for that administrator to immediately discontinue use of those certificates and replace them with certificates from another, uncompromised CA."
Customers can access information about revocation and replacement functionality for each brand of certificate at the following sites:
VeriSign branded SSL Certificates:
thawte branded SSL Certificates:
GeoTrust branded SSL Certificates:
RapidSSL branded SSL Certificates:
VeriSign, Inc. (
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the inability of VeriSign to successfully develop and market new products and services and customer acceptance of any new products or services, including VeriSign EV SSL solutions; the possibility that VeriSign's announced new services may not result in additional customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2007 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
©2008 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the checkmark circle, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc., and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.