(PRWEB) March 12, 2010
SSL Certificates of GeoTrust and RapidSSL are incorrectly issued, because of a wrong update in the system of VeriSign, manager of both providers. Certificates issued from March 3 till March 12 are standard valid for the root domain as well. Networking4all, Dutch provider of security certificates, have made a tool to verify whether a certificate is affected.
Different Certificate Authorities add already automatically the additional domain to the certificate. VeriSign recently decided to offer this service to customers of GeoTrust and RapidSSL as well. But an error crept into this implementation.
When applying for a certificate for http://www.yourdomain.com users will get the domain itself as well, so yourdomain.com without http://www. However, the problem arises when a certificate is requested on a sub domain, as happens with many Internet providers. If someone would apply for a certificate on customer.domain.com, he get domain.com for free as SAN, because of the issue bug at GeoTrust and RapidSSL.
The tool on http://www.ismysitesafe.com gives anyone who recently purchased an (possibly) affected certificate the possibility to verify whether the certificate should be replaced.
For many sites, the bug is harmless and most people will not notice the error or will not use it. But only one individual who abuse the situation is enough to punish VeriSign. For example, someone can request consciously a certificate for a sub domain to eavesdrop the root domain. For example by using a man-in-the-middle attack.