VeriSign Transitions All New RapidSSL Certificates to SHA-1 Algorithmin Response to Newly-Published Security Threat

Company Confirms Newly-Discovered MD5 Exploit Ineffective on All
Previously Issued RapidSSL and All End Entity Certificates; Offers
Free Re-Issuance of RapidSSL on SHA-1 Algorithm to Customers Wishing
to Upgrade
 
MOUNTAIN VIEW, CA--(Marketwire - December 31, 2008) - VeriSign, Inc.
(NASDAQ: VRSN), the trusted provider of Internet infrastructure
services for the networked world, today announced an immediate
transition to the SHA-1 algorithm on new RapidSSL brand certificates
as of 11:00 a.m. Pacific on Tuesday, December 30. Additionally,
VeriSign is offering free re-issuance of RapidSSL Certificates on the
SHA-1 algorithm to replace those created with MD5.
 
The transition to the SHA-1 algorithm came within a few hours of the
public unveiling of an MD5 flaw presented by researchers during the
2008 Chaos Communication Congress (CCC) in Berlin, rendering the MD5
flaw ineffective for all new RapidSSL Certificates.
 
During the Berlin event, researchers presented findings that
highlighted an MD5 collision attack using substantial computing power
to create a false SSL Certificate using the RapidSSL certificate
brand. The attack was a potential method to create a new, false
certificate from scratch and required the issuance of new
certificates, meaning existing certificates were not targets for this
attack.
 
Because the exploit never impacted certificates already in production
on Web sites, including previously-issued RapidSSL Certificates or
any other VeriSign brand certificate, current certificates used by
banks, brokerages, online merchants, and all other SSL-using entities
were not affected by this exploit.
 
"We applaud this team's research and efforts to improve online
security as well as their disclosure of the findings for the benefit
of the broader Internet community," said Chris Babel, svp and general
manager, VeriSign. "We take issues like these very seriously and work
quickly to remedy vulnerabilities that could potentially affect trust
and security online."
 
VeriSign has been phasing out the MD5 hashing algorithm for years.
Until the MD5 exploit was made public, VeriSign had planned to
discontinue the use of MD5 in customers' certificates by the end of
January, 2009. VeriSign has since discontinued using MD5 when issuing
RapidSSL Certificates and has confirmed that all other SSL
Certificates that VeriSign issues are not vulnerable to this MD5
attack. VeriSign will continue on its path to discontinue MD5 in all
end entity certificates by the end of January, 2009.
 
Though existing end entity certificates are not at risk from this
attack, RapidSSL customers who have certificates in place using the
MD5 hashing algorithm may choose to replace their certificates with
RapidSSL SHA-1 certificates free of charge; VeriSign is temporarily
suspending its normal replacement fees for these replacement
certificates. For more information, go to
http://www.rapidssl.com//ssl-certificate-support/ssl-support.htm
 
About VeriSign
 
VeriSign, Inc. (NASDAQ: VRSN) is the trusted provider of Internet
infrastructure services for the networked world. Billions of times
each day, VeriSign helps companies and consumers all over the world
engage in communications and commerce with confidence. Additional
news and information about the company is available at
www.verisign.com.
 
Statements in this announcement other than historical data and
information constitute forward-looking statements within the meaning
of Section 27A of the Securities Act of 1933 and Section 21E of the
Securities Exchange Act of 1934. These statements involve risks and
uncertainties that could cause VeriSign's actual results to differ
materially from those stated or implied by such forward-looking
statements. The potential risks and uncertainties include, among
others, the uncertainty of future revenue and profitability and
potential fluctuations in quarterly operating results due to such
factors as the inability of VeriSign to successfully develop and
market new products and services and customer acceptance of any new
products or services, including VeriSign EV SSL solutions; the
possibility that VeriSign's announced new services may not result in
additional customers, profits or revenues; and increased competition
and pricing pressures. More information about potential factors that
could affect the company's business and financial results is included
in VeriSign's filings with the Securities and Exchange Commission,
including in the company's Annual Report on Form 10-K for the year
ended December 31, 2007 and quarterly reports on Form 10-Q. VeriSign
undertakes no obligation to update any of the forward-looking
statements after the date of this press release.
 
©2008 VeriSign, Inc. All rights reserved. VeriSign, the VeriSign
logo, the checkmark circle, and other trademarks, service marks, and
designs are registered or unregistered trademarks of VeriSign, Inc.,
and its subsidiaries in the United States and in foreign countries.
All other trademarks are property of their respective owners.
 
Contacts
Media relations:
Christina Rohall
crohall@verisign.com
650-336-4663
 
Investor Relations:
Nancy Fazioli
ir@verisign.com
650-426-5146
 
This announcement was originally distributed by Hugin. The issuer is 
solely responsible for the content of this announcement.