Customers purchasing their RapidSSL, Geotrust, thawte or Verisign SSL certificate from ServerTastic are now able to manage their SSL certificate orders and perform the following actions:

Loading mentions Retweet

thawte will be upgrading the site seal servers on 15 October 2009 19 October 2009. After the upgrade any site using the thawte Trusted Site Seal will need to perform an update.

This update applies to ServerTastic customers using SSL123, SSL Web Server and SGC Supercert certificates.

This update must be completed before 18 November 2009 when the existing site seal infrastructure will be disabled.

ServerTastic recommends users re-install the site seal as soon as possible after 15 October 2009 19 October 2009. Details of how to install the thawte Trusted Site Seal are available here.

Loading mentions Retweet

There have been a number of attacks aimed at SSL Certificates demonstrated at the recent Black Hat event in Las Vegas. VeriSign have confirmed that non of the certificates issued within the VeriSign group are susceptibale to these attacks. This includes RapidSSL , thawte and Geotrust.

This was confirmed on Tim Callans SSL Blog. I have pasted the relevent excerpts below

Use of null Characters

The focus of this presentation was various ways to use null characters to fool browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued. The idea is that the attack would give the online criminal the ability to put up a certificate on what appears to be the exact same domain name as the targeted site. sslstrip accomplishes this feat through a Man-in-the-Middle attack and uses the null-character certificate to create its false certificates on the fly.

I'm pleased to say that none of VeriSign's SSL Certificates on any brand allow null characters, meaning that you can't use any of our certificates in the attack detailed today. While the fundamental problem needs to be solved by the client software that trusts these certificates, we still prefer not to be contributing to the problem. And until these problems are solved at the source, EV SSL is a great interim solution. The detailed attack will not work against EV SSL (as agreed by Mr. Marlinspike during the Q and A session after his talk), which means that sites have the power to defend themselves against null character attacks and in fact all attacks using sslstrip.

MD2 No Longer Secure

Kaminsky covered several topics which had SSL as a common theme. Interestingly, he also revealed his own work with null characters, which was very similar to Marlinspike's. In addition, Kaminsky talked about pre-image attacks against MD2, which he expects to be viable this calendar year. He reports that MD2 is not trusted or soon to not be trusted on these applications and platforms: Firefox, OpenSSL, Red Hat, Opera, Apple, Microsoft, Google, and VeriSign. Here I can be more specific. As of May 2009, VeriSign is issuing its SSL Certificates on all brands using SHA-1.

Leading Zeros

Kaminsky also described a "leading zero attack," by which a certificate can fool client software by essentially attaching an invisible zero to the first hex character in the certificate. Again, I'm happy to tell you that VeriSign won't issue SSL Certificates with leading zeros on any of our brands.

Loading mentions Retweet

VeriSign have announced that they have issued 4 million SSL Certificates since 1995.

Full press release below:

In 14 Years as SSL Pioneer and Market Leader, VeriSign and Its Brands Make Trusted Interactions Possible for Millions of Web Sites and Services

MOUNTAIN VIEW, CA -- (Marketwire) -- July 27, 2009 -- VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced that it has issued more than 4 million Secure Sockets Layer (SSL) Certificates. The total includes certificates issued by VeriSign under all four of its SSL brands: VeriSign®, GeoTrust®, thawte®, and RapidSSL®.

Since 1995, the company has served as a trusted third party and Certificate Authority responsible for issuing and authenticating a range of digital certificates designed to protect online businesses and their customers by:

 

--  Encrypting sensitive information during online transactions
--  Authenticating the identity of certificate owners
--  Warning when certificates are invalid
    

Under its four brands, VeriSign issues, authenticates and manages a range of certificates that are vital to the secure and trusted operation of the Internet, Web-based applications, and services requiring digital IDs, including:

 

--  SSL Certificates. VeriSign provides secure SSL encryption to Web sites
    protected by all VeriSign SSL Certificates brands, enabling trusted e-
    commerce, communications, and interactions on Web sites, intranets, and
    extranets.
--  Extended Validation (EV) SSL Certificates. EV SSL protection provides
    Web users using high security browsers with immediate visual confirmation
    that they've reached a site whose authenticity has been independently
    verified by VeriSign.
--  Server-Gated Cryptography (SGC) Certificates.  VeriSign's SGC
    Certificates enable every Web site visitor to connect using the strongest
    encryption for which their systems are capable.
--  Code Signing Certificates. VeriSign® Code Signing creates a digital
    "shrink-wrap" for code and content to protect software publishers and users
    when they download code and content over the Internet and mobile networks.
--  PKI Certificates. VeriSign protects enterprises, government agencies
    and others with a flexible platform enabling complete management of digital
    certificates for authentication, encryption and digital signing.
    

The milestone of issuing more than 4 million SSL certificates underscores how VeriSign is essential to enabling secure online transactions around the world. The company has issued more than 12,000 EV SSL Certificates, making VeriSign the far-and-away market leader with a 74 percent share of the EV SSL market. And every day, VeriSign conducts up to 1 billion Online Certificate Status Protocol (OCSP) checks -- the most timely and efficient way for Web browsers to determine whether an SSL or user certificate is still valid or has been revoked and a key indicator of secure sessions initiated using VeriSign SSL Certificates.

VeriSign also plays a vital role in Public Key Infrastructure (PKI) deployments, which use digital certificates for authentication, encryption and digital signing. In the past 14 years, VeriSign has issued and managed tens of millions of PKI certificates for thousands of customers throughout the world.

"As the world's leading SSL Certificate Authority, VeriSign understands that when customer trust is paramount, second best is never nearly good enough," said Tim Callan, vice president of product marketing at VeriSign. "Now more than ever, in a marketplace that is truly global and increasingly competitive, protecting a Web site, application or service with VeriSign is an investment that pays dividends every day."

 

Loading mentions Retweet

Do not let your website carts get abandoned. Secure them with an appropriate SSL Certificate.

Loading mentions Retweet

Tim Callan from the SSL Blog reports that Firefox 3.5 is not showing the green address bar for some brands of Extended Validation certificates.

SSL Certificates from VeriSign, Geotrust and thawte are not affected.

Loading mentions Retweet