The transition to the SHA-1 algorithm came within a few hours of the public unveiling of an MD5 flaw presented by researchers during the 2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5 flaw ineffective for all new RapidSSL Certificates.
During the Berlin event, researchers presented findings that highlighted an MD5 collision attack using substantial computing power to create a false SSL Certificate using the RapidSSL certificate brand. The attack was a potential method to create a new, false certificate from scratch and required the issuance of new certificates, meaning existing certificates were not targets for this attack.
Because the exploit never impacted certificates already in production on Web sites, including previously-issued RapidSSL Certificates or any other VeriSign brand certificate, current certificates used by banks, brokerages, online merchants, and all other SSL-using entities were not affected by this exploit.
"We applaud this team's research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community," said Chris Babel, svp and general manager, VeriSign. "We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online."
VeriSign has been phasing out the MD5 hashing algorithm for years. Until the MD5 exploit was made public, VeriSign had planned to discontinue the use of MD5 in customers' certificates by the end of January, 2009. VeriSign has since discontinued using MD5 when issuing RapidSSL Certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack. VeriSign will continue on its path to discontinue MD5 in all end entity certificates by the end of January, 2009.
Though existing end entity certificates are not at risk from this attack, RapidSSL customers who have certificates in place using the MD5 hashing algorithm may choose to replace their certificates with RapidSSL SHA-1 certificates free of charge; VeriSign is temporarily suspending its normal replacement fees for these replacement certificates. For more information, go to http://www.rapidssl.com//ssl-certificate-support/ssl-support.htm
VeriSign, Inc. (
Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the inability of VeriSign to successfully develop and market new products and services and customer acceptance of any new products or services, including VeriSign EV SSL solutions; the possibility that VeriSign's announced new services may not result in additional customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2007 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
©2008 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign logo, the checkmark circle, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc., and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.