Mar 13, 2014

Update to SSL Certificate Tomorrow

A heads up for the LastPass community: Our SSL certificate for LastPass.com is due to expire soon, so we plan to rotate a new one in shortly.

For those who are interested, it will continue to be a Thawte Extended Validation Certificate (EV).

This is a behind-the-scenes change, so LastPass users should not see any interruption in service or functionality. Any reports or concerns, though, can be posted in the comments below or directed to our support team.

Thanks for tuning in,
The LastPass Team

61 comments:

  1. Since few days I can't access to the https://lasspass.com from chrome or ie,
    but it's ok with firefox.

    chrome error says, "it's a SSL Error" below I pasted full error message which is from chrome. As I know you are a good company but your chrome extension's styling is bad don't you have any good CSS developers.


    CHROME MESSAGE

    Cannot connect to the real lastpass.com

    Something is currently interfering with your secure connection to lastpass.com.

    Try to reload this page in a few minutes or after switching to a new network. If you have recently connected to a new Wi-Fi network, finish logging in before reloading.

    If you were to visit lastpass.com right now, you might share private information with an attacker. To protect your privacy, Chrome will not load the page until it can establish a secure connection to the real lastpass.com.

    ReplyDelete
    Replies
    1. Thanks for the report, please download this file: https://www.verisign.com/support/thawte-roots.zip

      Then unzip the file, double click on all the .cer files, and click Install on each one. Once complete, please relaunch the browser and confirm if you're able to return to LastPass.com?

      If problems continue, please let us know - you can also submit a report directly here: https://lastpass.com/supportticket.php

      Delete
    2. My issue is still same, I installed all the things that you have provided with above link.

      Are you asking me to submit a report on: https://lastpass.com/supportticket.php this page also lost access, same problem I can't access to this page.

      All my password stored in your lastpass.com vault. so, even I can't send you email.

      Below, I also saw you are asking someone to open a join.me session don't ask me to do so however I can access this page https://www.thawte.com/ this page worked before I installed above file provided by you.

      Delete
    3. I'm having exactly the same problems than you, same SSL error since few days ago, also can't access to anything starting with lastpass.com

      Delete
    4. @Anonymous - Thanks for confirming that you can access https://www.thawte.com without issue.

      Are you able to launch Firefox on the same machine and confirm if you can login there without issue?

      Delete
    5. Yes, it's working properly with Firefox without above mentioned issue.

      Delete
  2. Try to clear your cache in Google Chrome

    ReplyDelete
  3. I already done it the error is same. and also I reinstalled the chrome but still same error. however I can access other sites which use HTTPS.

    ReplyDelete
  4. I check lastpass's Facebook and spiceworks pages and I found, someone have posted same issue that I am having with lastpass, below I pasted that links. The snapshot same as my issue.

    http://on.fb.me/1iyHZ5z

    http://bit.ly/1efKg46

    ReplyDelete
  5. Та же проблема не заходит на https://lasspass.com проблема с сертификатом!
    Кэш чистил и браузер обновлял!

    ReplyDelete
    Replies
    1. We apologize for the trouble. When you have a chance, please download this file: https://www.verisign.com/support/thawte-roots.zip

      Then unzip the file, double click on all the .cer files, and click Install on each one. Once complete, please relaunch the browser and confirm if you're able to return to LastPass.com?

      Delete
  6. Does not descend into account in the browser Google Chrome (Invalid Server Certificate)

    ReplyDelete
    Replies
    1. To clarify, the above download fails? Or you've completed the steps and still see an error?

      Delete
    2. Invalid server certificate indicates you are using Windows XP, yet have not installed Service pack 3 -- please update your computer, it's nearly 6 years behind on updates!

      Delete
    3. But it's working fine with Firefox.

      Delete
    4. So lastpass.com is the only site I can't access. Other site which use HTTPS work fine. Even sites which need better security, work fine. What a wonderful company?

      Delete
    5. If this continues despite our above steps, please reach out to security@lastpass.com and we'll try to work with you to resolve this.

      Delete
  7. Yes downloaded installed all the certificates, the problem remains!
    In thawte Primary Root CA - G3 (SHA256) no certificate!
    Still there solutions?

    ReplyDelete
    Replies
    1. Are you able to reach this page: https://www.thawte.com/ ?

      It sounds like we may need to get on a screenshare with you - would you be able to jump on a join.me or similar session with us?

      If so, please email security[at]lastpass.com confirming, and if you set up a join.me session please include the session ID to join.

      Delete
    2. Https://www.thawte.com/ comes here, here and here https://join.me/ but a blank page!

      Delete
    3. Where can I download the certificate https://lastpass.com/

      Delete
    4. Can you either email us at security@lastpass.com or submit a ticket here: https://lastpass.com/supportticket.php so we can further troubleshoot this with you?

      Delete
    5. I have downloaded and installed the certificates and the problem remains.
      Also Primary Root CA - G3 (SHA256) no certificate.

      Delete
    6. Are you able to get to https://thawte.com/ without any issues?

      Which browser is it failing on - Chrome? If you try on another browser, Firefox, does it work?

      Please report to security[at]lastpass.com so we can continue the investigation.

      Delete
  8. I have tried everything mentioned above, but on Chrome I still get the "SSL Malformed certificate: lastpass.com: thawte Extended Validation SSL CA" notice. No, I can´t share screen, so please just tell me, will you fix this mess or should I uninstall Lastpass forever.-

    ReplyDelete
    Replies
    1. Are you able to get to https://thawte.com/ without any issues?

      If you try on Firefox, does it work?

      If the problems continue, please report to security[at]lastpass.com so we can continue to investigate.

      Delete
    2. This is a sign that you're using Windows XP with a service pack less than 3!

      You need to immediately update your Windows XP to service pack 3, there's a ton of known vulnerabilities that you're unpatched for

      Delete
    3. Yes, thavte opens b.p., on Maxthone Lastpass works ok, warns about certificate, needs confirmation, than open
      and yes, XP SP2 only :/

      Delete
  9. Also tried everything, the problem remains. Please fix this!

    ReplyDelete
    Replies
    1. This is a sign that you're using Windows XP with a service pack less than 3!

      You need to immediately update your Windows XP to service pack 3, there's a ton of known vulnerabilities that you're unpatched for.

      Delete
    2. If only SP3 wasn't slower than dead snails.

      Delete
  10. Who has problems with the certificate put it http://support.microsoft.com/kb/968730

    ReplyDelete
  11. If you can't update to Windows XP service pack 3 for some reason or are using older Windows 2003 servers behind patches you can utilize this hotfix instead: http://support.microsoft.com/kb/968730

    ReplyDelete
    Replies
    1. I can't update to Windows XP service pack 3 for some reason. After downloading “968730”, it ask for service pack 3 installed first. So, no way to fix this issue. Any method else?

      Delete
    2. Yes, stop using Chrome and go back to Firefox. They have no interest in rewriting a key part of their browser just to support older OSes. I suspect that in a couple years it won't even work on XP at all.

      Delete
    3. Yea, Joe Siegrist is incorrect in that there is no hotfix available for XP SP2 or older.

      Delete
    4. 2 "bug menot", well Google chose to use the SSL API provided by the OS for consistency across all platforms they support you would of thought they would go with the Open source SSL libraries for consistency. I would not judge it right or wrong maybe just the easy choice :-)

      Delete
  12. I am not able to log into lastpass from Chrome either. However I can log into lastpass from FF. I'm running WinXP SP3. I've also attempted installing the new certs using the zip file provided in this thread. In the chrome, when I check the certificate window (the one giving me grief) it has the following information:

    Issued to: lastpass.com
    Issueed by: thawte Extended Validation SSL CA
    Valid from: 3/12/2014 to 3/12/2016

    ReplyDelete
    Replies
    1. Hi Leslie: Were you able to apply the hotfix for Windows XP? http://support.microsoft.com/kb/968730

      Delete
  13. Hi,
    I am also not able to log into lastpass from chrome (firefox do work) due to certificate problem (same as above)
    I am able to enter thawte/verisign pages, I did installation of their certificates, but it did not help.
    I am on windows xp sp2 and I cannot install sp3 on my machine, so I cannot apply the microsoft fix.

    Is there any other workaround?
    Best Regards

    ReplyDelete
    Replies
    1. I don't recommend this but if you have a tech skills you could look at KB 968730 see what files it changes and try copying the versions from a systems running SP3 to SP2. I have no idea if you can retrofit them. Check the support forums on the web if you want to go down that "rabbit hole". I read about the technique used with other DLL files retrofitting Win 2000 using XP DLL's. Success depends if the API has not changed significantly and if that is the case the combination you try was never tested for SP2 but MAY work.

      Delete
  14. I can NOT log into lastpass from
    Chrome or IE on XP SP 3 ; Firefox works fine.

    I have downloaded and installed
    the digital certificates from Thawte.
    I also tried the Microsoft hotfix
    even though I had SP3.

    On a Windows 7 machine I CAN access Lastpass from Chrome so it seems to be related to Windows XP which is old but I have an endpoint which is XP I would like to access LP (guess I will use FF for that endpoint :-(

    ReplyDelete
    Replies
    1. Unfortunately if the hotfix didn't work, there doesn't seem to be much we can do, as it's local to that machine - our in-house test on a comparable machine worked. We hope you're able to continue with LastPass on the other browsers and machines.

      Delete
  15. Hi.

    Firefox 12.0 and the LastPass add-on are working perfectly fine on my machine.

    However, over the past several weeks using Google-Chrome 30.0 I was receiving this message (Something is currently interfering with your secure connection to lastpass.com.) when I tried to click on a lastpass url that begins with https.

    Additionally, intermittently I would have to click on the white LP icon and enter my password twice, sometimes three times, before the icon turned red, confirming I was logged onto LP.

    Additionally, even though I was logged into LP and able to use the LP manager to log into internet websites, I was constantly getting the red bar advisory, "You are not connected to the internet."

    Plus, the auto login to all broswers feature was not working.

    Tonight I decided to remove the LP extension from Google-Chrome and reinstall it to see if this would remedy the problems I described.

    Ha! Big mistake. After removing the LP extension from the browser and reinstalling the LP extension, I can't login to LP at all.

    I was just getting comfortable using the Google-Chrome browser, considering making it my default browser cause it's a lot faster than Firefox, and now this happens.

    Looking around on other help sites I see others are experiencing the same problems with LP, so I don't feel alone. :grin

    I'm confident a remedy will soon be on the table.

    ReplyDelete
  16. Unfortunately it is well known that certain XP SP2 machines just refused to take the SP3 update - I have one like that as does security expert Steve Gibson. ok so WIN XP SP2 does not support SHA256 signed keys but server https://thawte.com/ is signed SHA1. Is it possible to have a lastpass.com SSL key signed SHA1 as well as SHA256 for backward compatibility or can you only have one key?

    ReplyDelete
  17. My LastPass was working fine until last night. Did something new happen to cause the error again?

    ReplyDelete
    Replies
    1. Hi Carissa: We updated our certs again today due to the Heartbleed bug - is your system clock set to the correct time?

      Delete
  18. Can you confirm the "TLS heartbeat read overrun (CVE-2014-0160)" vulnerabilty is fixed for LastPass services

    ReplyDelete
    Replies
    1. Ivan: Please see our newest blog post - blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html - yes, Heartbleed has been addressed. Let us know if we can be of further help.

      Delete
  19. +1 what Ivan said
    . Media reports lastpass as vulnerable. Fess up and advise what you are doing to fix!

    ReplyDelete
    Replies
    1. Steve: Please see our newest blog post: blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html which addresses these concerns. If you're seeing new media reports saying that LastPass is vulnerable, we'd appreciate a link so that we can follow up.

      Delete
  20. johnny appleseedApril 9, 2014 at 9:22 AM

    I'm concerned that OpenSSL heartbleed bug has not been fixed at Lastpass. Can you please update us users about the status of your security?

    ReplyDelete
    Replies
    1. Heartbleed has been addressed, please see our more recent blog post: blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

      Delete
  21. The recent (last 6 days) change to the certificate now shows it is key signed SHA1 so I am jumping for joy as that allows an old WIN XP SP2 (that does not support SHA256 signed keys) to sign on to lastpass.com home page on a CHROME browser. I do hope you don't go to SHA256 key signing AGAIN breaking all 2 million machines (= 0.5% of XP stuck on SP2).

    ReplyDelete
  22. I just learned my Google Chrome browser and my LastPass extension are friends again. :)

    After dealing with Dashlane, which isn't a bad product - but no where near as versatile and friendly as LastPass, you have no idea how big my smile became when I saw my lil red LP icon light up on Chrome.

    Thank you so much for making me whole again. Frankly, surfing without LP was a major pain. I love this program!

    ReplyDelete
    Replies
    1. Were you running Google Chrome browser + LastPass extension on Win XP ?

      Delete
  23. I bet Microsoft just don't want us accessing Twitter because they don't own it (yet). The explanations do not pan out; I access sites with https all the time - no problem - bit they are making it awfully hard for us to access Twitter.

    ReplyDelete
    Replies
    1. @anonymous Yes twitter has updated to SHA256 cert signing so you must be using an older OS that does not support this - it's a pain that is going to get worse.

      Delete
  24. This comment has been removed by the author.

    ReplyDelete