Urgent SSL security update from RapidSSL for Debian users

Meesterlijk

Verified User
Joined
Jan 19, 2007
Messages
179
Location
Netherlands
*****************************************************************************
Linux Operating System Security Flaws May Have Compromised Your Certificates.
Replace Them Now at No Charge.
*****************************************************************************

We are writing to inform you of a recent exposed security flaw with certain versions of
Linux so you may take immediate action and protect your site and your customers
against any vulnerability. If you or your customers are not using Debian or one of its
derivatives there is nothing you need to do.

WHO IS IMPACTED AND WHY?
For customers who used a Debian OS (or its derivatives) to generate a key pair used to
request a certificate, that key pair (and the corresponding certificate) is vulnerable. This is
due to a flaw in the Debian-specific random number generation that results in relatively
predictable key pair values, making them highly exploitable.

RapidSSL's trusted root CAs and intermediate CAs were not impacted by this
incident.

WHAT CAN YOU DO?
If you or your customers are running Debian operating systems and derivatives (such as
Ubuntu) released between September 17, 2006 and May 12, 2008 you should deploy a
recently released Debian patch and revoke and replace all SSL and Code Signing
certificates for which keys were created on these operating systems. Debian has
released a testing tool to confirm whether your certificates are affected. This tool and
other useful information can be found here:
http://lists.debian.org/debian-security-announce/2008/msg00152.html

To ensure your customers’ security, please notify them of this issue and the actions they
should take to protect their site.

To initiate the replacement process, please go to:
https://products.geotrust.com/geocenter/reissuance/reissue.do
RapidSSL is waiving the standard revoke and replace fee until June 30, 2008.

FOR MORE INFORMATION.
For additional information, please visit the RapidSSL Support site at:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD91&actp=LIST.

Sincerely,


Chris Babel
Senior Vice President, SSL
RapidSSL
 
Note that if you've got a current Secure Certificate purchased from NoBaloney Internet Services and you're using it on a Debian-based server, you should first update your Debian server as mentioned in the link above (http://lists.debian.org/debian-security-announce/2008/msg00152.html) and once that's done you may apply for a replacement directly from us. If the original was purchased from us with installation included we'll install the replacement under our guarantee.

If this is important to you please contact us using my contact information, below, in my sig.

Jeff
 
How important do you think it is to reissue SSL certificates? Is this something that could cause some sort of exploit? What sort of problems would it cause with a website SSL certificate if using a bad key?
 
The problem is that theoretically anyone could create a private key to work with your public certificate, and so spoof your site. They'd also have to do some kind of DNS redirection/poisoning, but of course it's possible.

And of course any warranty you got with your Cert purchase is null and void in this case, because the problem is with your creation of the key, not the Certificate Authority's Certificate.

Jeff
 
Back
Top