Unique serial numbers duplicated across multiple certificates
Bradford UK, 23rd June 2003. Comodo, the internet security specialists, has today announced the results of a 9 month investigation into the security of SSL Certificates issued by some certification authorities. The investigation has found that some certificates have a vulnerability which could cause security issues as well as breaking X.509 and RFC specifications.
The investigation, carried out by Comodo Research Labs security experts, has identified that some of the SSL Certificates issued by Thawte have the same serial number duplicated across multiple certificates for unrelated domains. X.509 specifications state (03/2000) that “The value of serialNumber shall be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).” whilst RFC 3280 section 22.214.171.124 states “The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate).”
Robin Alden, Head of Server Solutions, Comodo Research Labs said, “Every Comodo certificate adheres to processes which would not allow this vulnerability to happen and we were surprised to come across instances of this from other CAs during our investigation.”
Commenting on these findings, Melih Abdulhayoglu, Chief Security Architect, Comodo Group said “At Comodo we are always striving to best serve both our customers and the online community as a whole. We will be happy to pass our findings onto Thawte so that they can take the necessary remedial action to their certificate generation procedures.”
Comodo offers the InstantSSL range of certificates which uniquely balances low costs, full two-step validation, 128 bit encryption and 99.3% browser compatibility with fast issuance, expert customer support and a number of partner-to-Comodo interface methods to establish a clear position in the security market. Over 1000 industry-leading companies have partnered with Comodo since the launch of InstantSSL in March 2002.
The Comodo companies provide the infrastructure that is essential in enabling e-merchants, other Internet-connected companies, software companies, and individual consumers to interact and conduct business via the Internet safely and securely. The Comodo companies offer PKI SSL, Code Signing, Content Verification and Email Certificate; award winning PC Security software; Vulnerability Scanning services for PCI Compliance; secure e-mail and fax services.
Continual innovation, a core competence in PKI, and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo secures and authenticates online transactions and communications for over 200,000 business customers and 3,000,000 users of our desktop security products.
For additional information on Comodo - Creating Trust Online® visit Comodo.com
For more information, reporters and analysts may contact:
Office: +1 (888) 266-6361