GlobalSign® Corporate Information

VeriSign Subject Alternative Names (SANs) implementation vulnerability in Certificates

GlobalSign SANs functionality not vulnerable to recently identified VeriSign
implementation issues

In the last few days a number of high profile partners have reported to GlobalSign that VeriSign has introduced an automated “add Subject Alternative Names (SANs)” feature to its GeoTrust and RapidSSL brands. The functionality on these competing Certificates enables an applicant to specify a multi-level domain name (such as shared.hosting.com) as the Common Name in the application, and VeriSign will add the base name (in this case hosting.com) as a Subject Alternative Names entry.  This allows the applicant of the issued Certificate to use the Certificate on both shared.hosting.com and hosting.com. As the customer of shared.hosting.com could only own control of the shared.hosting.com domain and hosting.com is owned by the hosting company, this is deemed by GlobalSign to be a significant vulnerability in the implementation of SANs, especially in the shared hosting community where many hosting companies will offer use of subdomains belonging to the host’s top level domain name.

Due to the potential impact of this choice of implementation, GlobalSign has made VeriSign directly aware of the implementation vulnerability. As of March 12 2010, VeriSign has responded that it has ceased to issued Certificates in this way. For any queries regarding the implementation we urge any customers to speak directly with VeriSign. It is likely that VeriSign will audit recently issued Certificates and revoke and reissue (the Digital Certificate equivalent to a product recall) affected Certificates.

This implementation vulnerability is only applicable to VeriSign’s GeoTrust and RapidSSL branded Certificates. It does not affect GlobalSign Certificates – our implementation is based around a strong security model that demands domain control to be established prior to the inclusion of base SANs. Hosting companies using GlobalSign SANs Certificates have no cause for concern.

Should any VeriSign customers or partners be concerned that they could be affected by this issue, we strongly recommend that you contact VeriSign immediately.