Serious Error in SSL Certificates GeoTrust and RapidSSL
Serious Error in SSL Certificates GeoTrust and RapidSSL
SSL Certificates of GeoTrust and RapidSSL are incorrectly issued, because of a wrong update in the system of VeriSign, manager of both providers. Certificates issued from March 3 till March 12 are standard valid for the root domain as well. Networking4all, Dutch provider of security certificates, have made a tool to verify whether a certificate is affected.
We were very pleased with the response we received about these new machines as well as all of our other great products at the Graphics for the Americas Trade Show.
March 12, 2010 -- SSL Certificates of GeoTrust and RapidSSL are incorrectly issued, because of a wrong update in the system of VeriSign, manager of both providers. Certificates issued from March 3 till March 12 are standard valid for the root domain as well. Networking4all, Dutch provider of security certificates, have made a tool to verify whether a certificate is affected.
Different Certificate Authorities add already automatically the additional domain to the certificate. VeriSign recently decided to offer this service to customers of GeoTrust and RapidSSL as well. But an error crept into this implementation.
When applying for a certificate for www.yourdomain.com users will get the domain itself as well, so yourdomain.com without www. However, the problem arises when a certificate is requested on a sub domain, as happens with many Internet providers. If someone would apply for a certificate on customer.domain.com, he get domain.com for free as SAN, because of the issue bug at GeoTrust and RapidSSL.
The tool on www.ismysitesafe.com gives anyone who recently purchased an (possibly) affected certificate the possibility to verify whether the certificate should be replaced.
For many sites, the bug is harmless and most people will not notice the error or will not use it. But only one individual who abuse the situation is enough to punish VeriSign. For example, someone can request consciously a certificate for a sub domain to eavesdrop the root domain. For example by using a man-in-the-middle attack.
SSL Certificates of GeoTrust and RapidSSL are incorrectly issued, because of a wrong update in the system of VeriSign, manager of both providers. Certificates issued from March 3 till March 12 are standard valid for the root domain as well. Networking4all, Dutch provider of security certificates, have made a tool to verify whether a certificate is affected.
We were very pleased with the response we received about these new machines as well as all of our other great products at the Graphics for the Americas Trade Show.
March 12, 2010 -- SSL Certificates of GeoTrust and RapidSSL are incorrectly issued, because of a wrong update in the system of VeriSign, manager of both providers. Certificates issued from March 3 till March 12 are standard valid for the root domain as well. Networking4all, Dutch provider of security certificates, have made a tool to verify whether a certificate is affected.
Different Certificate Authorities add already automatically the additional domain to the certificate. VeriSign recently decided to offer this service to customers of GeoTrust and RapidSSL as well. But an error crept into this implementation.
When applying for a certificate for www.yourdomain.com users will get the domain itself as well, so yourdomain.com without www. However, the problem arises when a certificate is requested on a sub domain, as happens with many Internet providers. If someone would apply for a certificate on customer.domain.com, he get domain.com for free as SAN, because of the issue bug at GeoTrust and RapidSSL.
The tool on www.ismysitesafe.com gives anyone who recently purchased an (possibly) affected certificate the possibility to verify whether the certificate should be replaced.
For many sites, the bug is harmless and most people will not notice the error or will not use it. But only one individual who abuse the situation is enough to punish VeriSign. For example, someone can request consciously a certificate for a sub domain to eavesdrop the root domain. For example by using a man-in-the-middle attack.
Follow us
What people say
“We have generated many, many press clippings and improved our SEO ranking from the services that EIN Presswire provides us. Easy and simple way to upload and distribute our press releases. I would recommend their services.”
— Chris Morris, Marketing Manager of Mountz Inc.
“I have been using the EIN Press Release service for more than three years in entertainment & health care industries. Their account managers and the placement of my press releases online has been above reproach reaching mainstream journalists to help further client and brand visibility. I highly recommend this service for global notoriety and am thankful I made that first call.“
— Monica Anders PR Strategist 25 Years!
Our Partners
Press releases
- Euro Disney S.C.A. Reports Revenues for the First Quarter of Fiscal Year 2012 [07 Feb 2012] PR Newswire
- Euro Disney S.C.A. Reports Revenues for the First Quarter of Fiscal Year 2012 [07 Feb 2012] PR Newswire
© 2005-2012