Press Releases

VeriSign Transitions All New RapidSSL Certificates to SHA-1 Algorithm

January 04
23:03 2009

Hosting NewsMOUNTAIN VIEW, CA – VeriSign, Inc. (NASDAQ: VRSN), the trusted provider of Internet infrastructure services for the networked world, today announced an immediate transition to the SHA-1 algorithm on new RapidSSL brand certificates as of 11:00 a.m. Pacific on Tuesday, December 30. Additionally, VeriSign is offering free re-issuance of RapidSSL Certificates on the SHA-1 algorithm to replace those created with MD5.

The transition to the SHA-1 algorithm came within a few hours of the public unveiling of an MD5 flaw presented by researchers during the 2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5 flaw ineffective for all new RapidSSL Certificates.

During the Berlin event, researchers presented findings that highlighted an MD5 collision attack using substantial computing power to create a false SSL Certificate using the RapidSSL certificate brand. The attack was a potential method to create a new, false certificate from scratch and required the issuance of new certificates, meaning existing certificates were not targets for this attack.

Because the exploit never impacted certificates already in production on Web sites, including previously-issued RapidSSL Certificates or any other VeriSign brand certificate, current certificates used by banks, brokerages, online merchants, and all other SSL-using entities were not affected by this exploit.

“We applaud this team’s research and efforts to improve online security as well as their disclosure of the findings for the benefit of the broader Internet community,” said Chris Babel, svp and general manager, VeriSign. “We take issues like these very seriously and work quickly to remedy vulnerabilities that could potentially affect trust and security online.”

VeriSign has been phasing out the MD5 hashing algorithm for years. Until the MD5 exploit was made public, VeriSign had planned to discontinue the use of MD5 in customers’ certificates by the end of January, 2009. VeriSign has since discontinued using MD5 when issuing RapidSSL Certificates and has confirmed that all other SSL Certificates that VeriSign issues are not vulnerable to this MD5 attack. VeriSign will continue on its path to discontinue MD5 in all end entity certificates by the end of January, 2009.

Though existing end entity certificates are not at risk from this attack, RapidSSL customers who have certificates in place using the MD5 hashing algorithm may choose to replace their certificates with RapidSSL SHA-1 certificates free of charge; VeriSign is temporarily suspending its normal replacement fees for these replacement certificates. For more information, go to

About VeriSign
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet infrastructure services for the networked world. Billions of times each day, VeriSign helps companies and consumers all over the world engage in communications and commerce with confidence. Additional news and information about the company is available at

Research, evaluate and learn more about SaaS Hosting at

About Author

Providing Web Host News, Discussions, Reviews, Commentary, Interviews and Blog Articles to the FindMyHost, Inc. Network.

Related Articles

Special Offers: