(WEB HOST INDUSTRY REVIEW) — Infrastructure services provider VeriSign (www.verisign.com) has issued a statement reassuring millions of SSL customers that all VeriSign certificates, including its VeriSign GeoTrust, thawte and RapidSSL brands, are safe from the threats outlined last week at the Black Hat security conference (www.blackhat.com), including vulnerabilities in the SSL certificates issuing process that could allow impostors to pose as any website.
Presented last week by security experts Dan Kaminsky of IOActive and independent researcher Moxie Marlinspike, the null characters threat lets an attacker use the null characters embedded in some SSL certificates to fool nearly all mainstream browsers into thinking it is another site. According to VeriSign’s announcement, none of VeriSign’s SSL Certificates are issued with null characters in the common name, so VeriSign certificates cannot be used in this type of attack.
“It’s natural to be concerned when security experts uncover vulnerabilities that can open an organization and its customers to attack, but site operators can rest assured that SSL Certificates from VeriSign cannot be used as part of the SSL threats revealed this week,” VeriSign product marketing vice president Tim Callan said in a statement. “Until client software vendors can fix these vulnerabilities in their applications and operating systems, solutions like VeriSign EV SSL provide effective and reliable protection against these potential threats.”
VeriSign’s defensive capability applies both to customer-facing and non-customer-facing-systems, such as auto-updating desktop applications.
Experts also think certificates using Message Digest Algorithm 2 may be subject to pre-image attacks, rendering this hash function untrustworthy. Since May 2009, however, VeriSign has issued SSL Certificates using SHA- 1, designed by the National Security Agency, assuring existing VeriSign customer they are not vulnerable to this attack and their certificates do not need to be replaced.
Software developer Mozilla, too, has issued security updates for Firefox 3.5.2 and 3.0.13 patching SSL-protected communication flaws. An official blog post reads, “We strongly recommend that all Firefox users upgrade to this latest release.” Those with Firefox 3.5 or Firefox 3 installed will receive an automated update notification.
UPDATE: SSL Certificate provider GlobalSign (www.globalsign.com) reassured customers in a Wednesday announcement that its SSL and EV SSL Certificates are already protected against the newly outlined Null Character attack and the MD2 vulnerability threats.
“GlobalSign has been issuing certificates to provide the strongest SSL security since 1996, and we were one of the first Certificate Authorities to have the foresight to create and distribute a 2,048-bit Root Certificate,” GlobalSign Marketing Director Steve Waite said in a statement. “[T]he fact that we already protect against these new vulnerabilities, as well as provide further assurances against future attacks with 2,048-bit Root Certificates and free SGC security re-enforces our 12 year-plus commitment to providing the strongest SSL security for our customers.”
No related posts.
