VeriSign Subject Alternative Names (SANs) implementation vulnerability in Certificates

GlobalSign SANs functionality not vulnerable to recently identified VeriSign implementation issues

In the last few days a number of high profile partners have reported to GlobalSign that VeriSign has introduced an automated “add Subject Alternative Names (SANs)” feature to its GeoTrust and RapidSSL brands. The functionality on these competing Certificates enables an applicant to specify a multi-level domain name (such as shared.hosting.com) as the Common Name in the application, and VeriSign will add the base name (in this case hosting.com) as a Subject Alternative Names entry. This allows the applicant of the issued Certificate to use the Certificate on both shared.hosting.com and hosting.com. As the customer of shared.hosting.com could only own control of the shared.hosting.com domain and hosting.com is owned by the hosting company, this is deemed by GlobalSign to be a significant vulnerability in the implementation of SANs, especially in the shared hosting community where many hosting companies will offer use of subdomains belonging to the host’s top level domain name.

Due to the potential impact of this choice of implementation, GlobalSign has made VeriSign directly aware of the implementation vulnerability. As of March 12 2010, VeriSign has responded that it has ceased to issued Certificates in this way. For any queries regarding the implementation we urge any customers to speak directly with VeriSign. It is likely that VeriSign will audit recently issued Certificates and revoke and reissue (the Digital Certificate equivalent to a product recall) affected Certificates.

This implementation vulnerability is only applicable to VeriSign’s GeoTrust and RapidSSL branded Certificates. It does not affect GlobalSign Certificates – our implementation is based around a strong security model that demands domain control to be established prior to the inclusion of base SANs. Hosting companies using GlobalSign SANs Certificates have no cause for concern.

Should any VeriSign customers or partners be concerned that they could be affected by this issue, we strongly recommend that you contact VeriSign immediately.

 

About GMO GlobalSign
Established in 1996 and as a WebTrust accredited public certificate authority, GlobalSign offers publicly trusted SSL Certificates, EV SSL, Managed SSL Services, S/MIME email security and Code Signing for use on all platforms including mobile devices. Its Trusted Root solution uses the widely embedded GlobalSign Root CA certificates to provide immediate PKI trust for Microsoft Certificate Services and internal PKI, eliminating the costs of using untrusted Root Certificates. Its partnership with Adobe to provide Certified Document Services (CDS) enables secure digitally signed PDF documents, certified transcripts and e-invoices.  These core Digital Certificate solutions allow its thousands of authenticated customers to conduct secure online transactions, data transfer, distribution of tamper-proof code, and protection of online identities for secure email and access control.  The company has a history of innovation within the online security industry and has offices in the US, UK, Belgium, Japan, China and Singapore.

GMO Internet Group
GMO Internet Group is one of the most comprehensive providers of industry-leading Internet services worldwide. As well as domain registration, web hosting, ecommerce, and payment processing businesses that each hold the top share in their respective markets in Japan, services operated by the group include Internet advertising, search engine marketing and research. Global online security brand GlobalSign and major Japanese online securities brokerage, GMO CLICK Securities are also group members. In 2011 a new Social Media & Smartphone Platform segment was established bringing together group initiatives in social apps development, flash marketing and Android apps distribution. GMO Internet, Inc. (TSE: 9449) is headquartered in Tokyo, Japan. Please visit www.gmo.jp/en for more information.

For further details please contact:

GlobalSign Australia
Tel: +61 3-9988-3988
pr-apac@globalsign.com