United Kingdom [
Feedback
VeriSign Confirms All SSL and EV SSL Certificates Remain Safe from Potential Threats Newly Presented at Black Hat Conference
LAS VEGAS– Black Hat® USA 2009 Conference – July 30, 2009 – As researchers unveiled a series of potential threats to Secure Sockets Layer (SSL) Certificates at Black Hat USA 2009, VeriSign, Inc. (NASDAQ: VRSN) today reassured its millions of SSL customers that all SSL Certificates from VeriSign, including its VeriSign® GeoTrust®, thawte® and RapidSSL® brands, are safe from the threats outlined this week.
SSL and Extended Validation (EV) SSL Certificates from VeriSign and its brands are not susceptible to two new SSL vulnerabilities described in Black Hat sessions this week:
Null characters threat. Experts believe hackers may use null characters embedded in some SSL certificates to fool browsers and other pieces of relying software into believing a certificate has been issued to a different domain than the one to which is was actually issued. However, none of VeriSign’s SSL Certificates of any brand are issued with null characters in the common name (CN), so VeriSign certificates cannot be used in this type of attack. In addition, EV SSL Certificates are an effective defense against null character certificate attacks. This defensive capability applies both to customer-facing and non-customer-facing-systems, such as auto-updating desktop applications.
MD2 vulnerability. Experts also think certificates that employ Message Digest Algorithm 2 (MD2) may be subject to pre-image attacks later this year, essentially rendering this hash function untrustworthy. Since May 2009, VeriSign and its brands have issued their SSL Certificates using SHA-1, designed by the National Security Agency. Customers with existing VeriSign certificates are not vulnerable to this attack and their certificates do not need to be replaced.
"It’s natural to be concerned when security experts uncover vulnerabilities that can open an organization and its customers to attack, but site operators can rest assured that SSL Certificates from VeriSign cannot be used as part of the SSL threats revealed this week," said Tim Callan, vice president of product marketing at VeriSign. "Until client software vendors can fix these vulnerabilities in their applications and operating systems, solutions like VeriSign EV SSL provide effective and reliable protection against these potential threats."
About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at www.verisign.com.
VRSNF Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 as amended and Section 21E of the Securities Exchange Act of 1934 as amended. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as increasing competition and pricing pressure from competing services offered at prices below our prices, market acceptance of our existing services and the current global economic downturn, the inability of VeriSign to successfully develop and market new services, the uncertainty of whether new services as provided by VeriSign will achieve market acceptance or result in any revenues, the risk that planned divestitures of certain businesses may be delayed or pending dispositions may not be completed, may generate less proceeds than expected or may incur unanticipated costs or otherwise negatively affect VeriSign's financial condition, results of operations or cash flows, and the uncertainty of whether Project Titan will achieve its stated objectives. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the Company's Annual Report on Form 10-K for the year ended December 31, 2008, Quarterly Reports on Form 10-Q and Current Reports on Form 8-K. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.
Contacts
Media Relations:
Victoria Henry, vhenry@verisign.com, + 44 (0) 7920 598 016
Weber Shandwick for VeriSign:
Lydia Curtis, Lcurtis@webershandwick.com, +44 (0)207 067 0513
Investor Relations:
Nancy Fazioli, nfazioli@verisign.com, +1 650-426-5146
