Thawte Consulting, the SA security firm founded by millionaire Mark Shuttleworth, today sought to address fears over alleged vulnerabilities in its Secure Sockets Layer (SSL) certificates. The fears were raised by Comodo, a UK-based Internet security company.
Comodo reported vulnerabilities in SSL certificates issued by certain certification authorities (CA), naming Thawte specifically.
The vulnerabilities
Comodo said its findings were the results of a nine-month investigation. It had found vulnerabilities which "could cause security issues and break X509 and RFC (request for comment - a standard series) specifications".
The investigation has identified that some of the SSL certificates issued by Thawte have the same serial number duplicated across multiple certificates for unrelated domains. X509 specifications, according to Comodo, recommend that "the value of the serial number shall be unique for each certificate issued by a CA (the issuer name and serial number identify a unique certificate)".
According to Comodo, RFC 3280 section 4.1.2.2 recommends that "the serial number must be a positive integer. It must be unique for each certificate issued by a CA (the issuer name and serial number identify a unique certificate)."
Robin Alden, head of server solutions at Comodo Research Labs, said: "Every Comodo certificate adheres to processes which would not allow this vulnerability to happen and we were surprised to come across instances of this from other CAs during our investigation."
Commenting on these findings, Melih Abdulhayoglu, chief security architect, Comodo Group, said: "We will be happy to pass our findings onto Thawte so that they can take the necessary remedial action to their certificate-generation procedures."
Comodo offers the InstantSSL range of certificates, which offer two-step validation, 128-bit encryption, 99.3% browser compatibility and fast issuance.
The rebuttal
According to Thawte`s MD, Bo Wilson: "We have determined that a subset of valid Thawte server certificates have duplicate serial numbers."
In explaining the problem, he goes on to say: "What this means is that some certificates share a serial number with another Thawte certificate. If a valid certificate shares a serial number with a certificate that has been revoked, the valid certificate would show up as revoked when checked against our CRL (certificate revocation list).
"Thawte certificates have not been compromised. Certificates still authenticate our customers as legitimate entities and encrypt all the sessions as advertised and promised."
Wilson confirms that the technical problem that led to this issue has been corrected.
Wilson states that "we have identified all certificates that have been effected and are proactively contacting all respective customers. We are providing those customers with a free replacement certificate which will include a new serial number."
If customers would like to know whether their Thawte certificate is affected, they can contact Thawte with the order number via e-mail, ticket system or chat room.
According to Wilson: "In many instances, a low-cost CA will verify critical certificate information against non-verified data."
Wilson says Thawte often comes up against CAs that offer low-cost certification, sacrificing the time and effort that goes into ensuring the companies dealt with are legitimate.
"Sometimes, a low-cost CA will just do a URL check. But do they check and verify the customer information through third-party agencies?"
Share