Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


20121108 : TBS Internet suspends GlobalSign's products sale

This evening TBS INTERNET has suspended GlobalSign's server certificates sale.

A detailed explanation will be released soon.


Edit 2012-11-16

On November 8th 2012, we discovered that some GlobalSign certificates believed to be SGC-compatible - meaning with a guaranteed 128-bit encryption - were actually issued without SGC extension since June 25th 2011.

We immediatelly took actions and stopped selling those products. We also informed all our customers owning one of those certificates or having a pending request and also updated our websites to clearly specify that GlobalSign's products were now 40-bit guaranteed (compatible upto 256-bit).

GlobalSign was slow to communicate on this change considering that its websites and documentations still offered free SGC by default a few weeks ago. GlobalSign also omitted to give notice to TBS INTERNET (and its other resellers) about these technical characteristics' modifications before November 6th 2012.

From our side, we chose not to publicly communicate right away in order to let GlobalSign enough time to express itself about the incident and its origins. After a week we consider time to communicate has come.


Today Henry Krumins, GlobalSign Ltd's Sales & Marketing Director, announces:

"In essence we took an action to fix a bad problem with SSL last year, and grasped that opportunity with the new root roll out. We were slow to get the marketing materials to clearly state the positive fix we had done (basically we took a bad thing out of the certificates but didn't remove the bad thing from the data sheets etc.)"

and adds that:

"SGC certs by their nature are bad, and GlobalSign is currently working on many ways to improve the SSL market and in this specific issue we are asserting that Non-SGC certs are much better and more secure than SGC certs. [...] By removal of that component we are protecting our users and their customers from potential fraud attacks and other security issues and hence reduce their risk."

GlobalSign publishes a technical note:
http://globalsign.tbs-certificats.com/SGC_and_its_Limited_Value.pdf

What are the consequences for the owners of one of those certificates?

It does not impact the normal operation of the installed certificates. Technically the consequences should be limited on the secured services: indeed, current browsers give by default priority to high encrypted negociations and most of the time enable 128- or 256-bit encrypted connections. Moreover, most up-to-date servers are pre-configured to use 128-bit encryption minimum.

What should you expect for future requests?

GlobalSign will no longer provide certificates with 128-bit waranty by default, but SGC will remain available as a free option. However precise issuance arrangements are still unclear.

Reminder to owners of a currently valid GlobalSign certificates


Which products are concerned?
All GlobalSign's server certificates issued after June 25th 2011.


Server configuration
It is possible to configure your server to enforce 128- up-to 256-bit encryption by default. See our online documentation:


Reissuance
GlobalSign indicates that, even if it does not recommand it, you can request your certificate's reissuance to obtain the SGC version of your currently valid product.

To do so, please contact our technical support.


Which browsers behave differently?
A behavior difference between GlobalSign SGC and standard certificates can be witnessed on the rare following browsers (more than 10 years old and rarely used nowadays):

  • Internet Explorer export version 5.01 (Release date, 18/12/2001)
  • Netscape version export version 4.51 Ã 4.72 (Release date March 1999)
  • Systems under Windows 2000 delivered prior to March 2001 and that did not download Microsoft High Encryption Pack or Service Pack 2 and using Internet Explorer

More recent browsers are natively 128- or 256-bit and behave the same way with or without a SGC certificate.



TBS INTERNET wants to apologize to its customers for this regrettable incident, for which GlobalSign should take the entire responsability.

TBS INTERNET has been with you since 1996 to provide the best advise and the best products available on the market and work hand in hand with certification authorities to keep enhancing them.

 

Please know that we do take security seriously and stay available to address your concerns.