USA: As a newly discovered Internet security flaw sends online businesses running for cover, VeriSign Inc. announced a program to safeguard any of its customers’ Secure Sockets Layer (SSL) Certificates free of charge through June 30, 2008. The program also applies to customers of GeoTrust, thawte and RapidSSL certificates.

Discovered just last week, the serious vulnerability affects encryption key pairs generated with specific Debian versions of the Linux operating system and allows hackers to view encrypted transaction data and potentially steal consumers’ passwords, financial account and credit card numbers and Social Security numbers.

Although the roots and intermediate roots used by VeriSign’s SSL, code signing and client certificate brands – VeriSign, GeoTrust, thawte and RapidSSL – are unaffected by the security flaw, some customers using any of the four certificate brands may have used one of the compromised Linux OS versions to generate key pairs for the individual certificates they employ. This may make those customers’ authentication, encryption, and digital signing transactions vulnerable to hackers.

In the interest of ensuring continued protection for all online transactions involving customers of VeriSign or its other certificate brands, the company today announced that it will revoke and replace any SSL, code signing or client certificate free of charge. Companies employing SSL from VeriSign can investigate their own certificate and cryptographic practices and replace any required certificates directly from VeriSign. The free program will remain in force through June 30, 2008.

The flaw applies to all software applications using key pairs generated on versions of the Debian operating system and its derivatives (such as Ubuntu) released between September 17, 2006 and May 12, 2008.

Although responsibility for the security flaw rests with vendors of those Linux OS versions, it is up to individual site operators to make sure they install recently issued patches that fix the vulnerability and subsequently replace flawed SSL Certificates with safe ones.

“While there’s no fundamental vulnerability that exists inside VeriSign, GeoTrust, thawte or RapidSSL Certificates, VeriSign recognises that a secure Internet is essential to the success of online commerce,” said Chris Babel, senior vice president, SSL, VeriSign. “For that reason we’re initiating this effort to replace any questionable SSL Certificate free of charge.  Any unsafe certificate requires immediate replacement, and online businesses have no time to lose. We encourage them to take action as soon as possible.”

Babel added: “For the continued security of online business worldwide, we recommend that owners of other brands of certificates scrutinise them immediately to determine whether or not the certificates are safe for continued use.  Likewise, we recommend the immediate investigation of all self-signed CAs for similar vulnerability. Site operators should contact the CA to determine if its trusted roots and intermediates were issued off Debian or derivative operating systems. If the CA’s roots prove to be compromised by this security flaw, the recommended practice is for that administrator to immediately discontinue use of those certificates and replace them with certificates from another, uncompromised CA.”

Customers can access information about revocation and replacement functionality for each brand of certificate at the following sites:

VeriSign branded SSL Certificates

thawte branded SSL Certificates

GeoTrust branded SSL Certificates

RapidSSL branded SSL Certificates