VeriSign Confirms Root Certificates Safe and
Offers Free Re-issuance to Customers Affected by Linux Vulnerability
Internet Security Leader Confirms that VeriSign, GeoTrust, thawte
and RapidSSL Roots and Intermediate Roots Remain Safe; Offers Free Revoke-and-Replace
Service
Mountain View, Calif. – May 19, 2008 – As a newly discovered
Internet security flaw sends online businesses running for cover, VeriSign,
Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure
services for the networked world, today announced a program to safeguard
any of its customers’ Secure Sockets Layer (SSL) Certificates free of
charge through June 30, 2008. The program also applies to customers
of GeoTrust®, thawte®
and RapidSSL®
Certificates.
Discovered just last week, the serious vulnerability
affects encryption key pairs generated with specific Debian versions
of the Linux operating system and allows hackers to view encrypted transaction
data and potentially steal consumers’ passwords, financial account and
credit card numbers and Social Security numbers.
Although the roots and intermediate roots used by VeriSign’s
SSL, code signing and client certificate brands – VeriSign,
GeoTrust, thawte and RapidSSL – are unaffected
by the security flaw, some customers using any of the four certificate
brands may have used one of the compromised Linux OS versions to generate
key pairs for the individual certificates they employ. This may make
those customers’ authentication, encryption, and digital signing transactions
vulnerable to hackers.
In the interest of ensuring continued protection for
all online transactions involving customers of VeriSign or its other
certificate brands, the company today announced that it will revoke
and replace any SSL, code signing or client certificate free of charge.
Companies employing SSL from VeriSign can investigate their own certificate
and cryptographic practices and replace any required certificates directly
from VeriSign. The free program will remain in force through June
30, 2008.
The flaw applies to all software applications using
key pairs generated on versions of the Debian operating system and its
derivatives (such as Ubuntu) released between Sept.17, 2006 and May
12, 2008. Although responsibility for the security flaw rests with vendors
of those Linux OS versions, it is up to individual site operators to
make sure they install recently issued patches that fix the vulnerability
and subsequently replace flawed SSL Certificates with safe ones.
“While there’s no fundamental vulnerability that exists
inside VeriSign, GeoTrust, thawte or RapidSSL Certificates, VeriSign
recognizes that a secure Internet is essential to the success of online
commerce,” said Chris Babel, senior vice president, SSL, VeriSign.
“For that reason we’re initiating this effort to replace any questionable
SSL Certificate free of charge. Any unsafe certificate requires
immediate replacement, and online businesses have no time to lose. We
encourage them to take action as soon as possible.”
Babel added, “For the continued security of online
business worldwide, we recommend that owners of other brands of certificates
scrutinize them immediately to determine whether or not the certificates
are safe for continued use. Likewise, we recommend the immediate
investigation of all self-signed CAs for similar vulnerability. Site
operators should contact the CA to determine if its trusted roots and
intermediates were issued off Debian or derivative operating systems.
If the CA’s roots prove to be compromised by this security flaw, the
recommended practice is for that administrator to immediately discontinue
use of those certificates and replace them with certificates from another,
uncompromised CA.”
Customers can access information about revocation
and replacement functionality for each brand of certificate at the following
sites:
VeriSign branded SSL Certificates:
http://www.verisign.com/ssl/current-ssl-customers/manage-ssl-certificates/index.html#revoke
thawte branded SSL Certificates:
http://www.thawte.com/reissue/?click=buyssl-buttonsleft
GeoTrust branded SSL Certificates:
http://www.geotrust.com/resources/cert_reissuance/index.asp
RapidSSL branded SSL Certificates:
https://products.geotrust.com/geocenter/reissuance/reissue.do
About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure
services for the networked world. Billions of times each day, VeriSign
helps companies and consumers all over the world engage in communications
and commerce with confidence. Additional news and information about
the company is available at www.verisign.com.
Contacts
Media relations: Christina Rohall, crohall@verisign.com,
650-336-4663
Investor Relations: Nancy Fazioli, ir@verisign.com, 650-426-5146
Statements in this announcement other than historical
data and information constitute forward-looking statements within the
meaning of Section 27A of the Securities Act of 1933 and Section 21E
of the Securities Exchange Act of 1934. These statements involve risks
and uncertainties that could cause VeriSign's actual results to differ
materially from those stated or implied by such forward-looking statements.
The potential risks and uncertainties include, among others, the uncertainty
of future revenue and profitability and potential fluctuations in quarterly
operating results due to such factors as the inability of VeriSign to
successfully develop and market new products and services and customer
acceptance of any new products or services, including VeriSign EV SSL
solutions; the possibility that VeriSign’s announced new services
may not result in additional customers, profits or revenues; and increased
competition and pricing pressures. More information about potential
factors that could affect the company's business and financial results
is included in VeriSign's filings with the Securities and Exchange Commission,
including in the company's Annual Report on Form 10-K for the year ended
December 31, 2007 and quarterly reports on Form 10-Q. VeriSign undertakes
no obligation to update any of the forward-looking statements after
the date of this press release.
©2008 VeriSign, Inc. All rights reserved. VeriSign,
the VeriSign logo, the checkmark circle, and other trademarks, service
marks, and designs are registered or unregistered trademarks of VeriSign,
Inc., and its subsidiaries in the United States and in foreign countries.
All other trademarks are property of their respective owners.
Worldwide Sites
