Update to SSL Certificate Tomorrow

A heads up for the LastPass community: Our SSL certificate for LastPass.com is due to expire soon, so we plan to rotate a new one in shortly.

For those who are interested, it will continue to be a Thawte Extended Validation Certificate (EV).

This is a behind-the-scenes change, so LastPass users should not see any interruption in service or functionality. Any reports or concerns, though, can be posted in the comments below or directed to our support team.

Thanks for tuning in,
The LastPass Team


  • Clark Gable says:

    Good post, thanks for the tips.

  • Anonymous says:

    I bet Microsoft just don’t want us accessing Twitter because they don’t own it (yet). The explanations do not pan out; I access sites with https all the time – no problem – bit they are making it awfully hard for us to access Twitter.

    • BanditQuest says:

      @anonymous Yes twitter has updated to SHA256 cert signing so you must be using an older OS that does not support this – it’s a pain that is going to get worse.

  • I just learned my Google Chrome browser and my LastPass extension are friends again. :)

    After dealing with Dashlane, which isn’t a bad product – but no where near as versatile and friendly as LastPass, you have no idea how big my smile became when I saw my lil red LP icon light up on Chrome.

    Thank you so much for making me whole again. Frankly, surfing without LP was a major pain. I love this program!

  • BanditQuest says:

    The recent (last 6 days) change to the certificate now shows it is key signed SHA1 so I am jumping for joy as that allows an old WIN XP SP2 (that does not support SHA256 signed keys) to sign on to lastpass.com home page on a CHROME browser. I do hope you don’t go to SHA256 key signing AGAIN breaking all 2 million machines (= 0.5% of XP stuck on SP2).

  • johnny appleseed says:

    I’m concerned that OpenSSL heartbleed bug has not been fixed at Lastpass. Can you please update us users about the status of your security?

  • steve says:

    +1 what Ivan said
    . Media reports lastpass as vulnerable. Fess up and advise what you are doing to fix!

    • Amber Gott says:

      Steve: Please see our newest blog post: blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html which addresses these concerns. If you’re seeing new media reports saying that LastPass is vulnerable, we’d appreciate a link so that we can follow up.

  • Can you confirm the “TLS heartbeat read overrun (CVE-2014-0160)” vulnerabilty is fixed for LastPass services

    • Amber Gott says:

      Ivan: Please see our newest blog post – blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html – yes, Heartbleed has been addressed. Let us know if we can be of further help.

  • My LastPass was working fine until last night. Did something new happen to cause the error again?

  • BanditQuest says:

    Unfortunately it is well known that certain XP SP2 machines just refused to take the SP3 update – I have one like that as does security expert Steve Gibson. ok so WIN XP SP2 does not support SHA256 signed keys but server https://thawte.com/ is signed SHA1. Is it possible to have a lastpass.com SSL key signed SHA1 as well as SHA256 for backward compatibility or can you only have one key?

  • Hi.

    Firefox 12.0 and the LastPass add-on are working perfectly fine on my machine.

    However, over the past several weeks using Google-Chrome 30.0 I was receiving this message (Something is currently interfering with your secure connection to lastpass.com.) when I tried to click on a lastpass url that begins with https.

    Additionally, intermittently I would have to click on the white LP icon and enter my password twice, sometimes three times, before the icon turned red, confirming I was logged onto LP.

    Additionally, even though I was logged into LP and able to use the LP manager to log into internet websites, I was constantly getting the red bar advisory, “You are not connected to the internet.”

    Plus, the auto login to all broswers feature was not working.

    Tonight I decided to remove the LP extension from Google-Chrome and reinstall it to see if this would remedy the problems I described.

    Ha! Big mistake. After removing the LP extension from the browser and reinstalling the LP extension, I can’t login to LP at all.

    I was just getting comfortable using the Google-Chrome browser, considering making it my default browser cause it’s a lot faster than Firefox, and now this happens.

    Looking around on other help sites I see others are experiencing the same problems with LP, so I don’t feel alone. :grin

    I’m confident a remedy will soon be on the table.

  • Anonymous says:

    I can NOT log into lastpass from
    Chrome or IE on XP SP 3 ; Firefox works fine.

    I have downloaded and installed
    the digital certificates from Thawte.
    I also tried the Microsoft hotfix
    even though I had SP3.

    On a Windows 7 machine I CAN access Lastpass from Chrome so it seems to be related to Windows XP which is old but I have an endpoint which is XP I would like to access LP (guess I will use FF for that endpoint :-(

    • Amber Gott says:

      Unfortunately if the hotfix didn’t work, there doesn’t seem to be much we can do, as it’s local to that machine – our in-house test on a comparable machine worked. We hope you’re able to continue with LastPass on the other browsers and machines.

  • Anonymous says:

    I am also not able to log into lastpass from chrome (firefox do work) due to certificate problem (same as above)
    I am able to enter thawte/verisign pages, I did installation of their certificates, but it did not help.
    I am on windows xp sp2 and I cannot install sp3 on my machine, so I cannot apply the microsoft fix.

    Is there any other workaround?
    Best Regards

    • BanditQuest says:

      I don’t recommend this but if you have a tech skills you could look at KB 968730 see what files it changes and try copying the versions from a systems running SP3 to SP2. I have no idea if you can retrofit them. Check the support forums on the web if you want to go down that “rabbit hole”. I read about the technique used with other DLL files retrofitting Win 2000 using XP DLL’s. Success depends if the API has not changed significantly and if that is the case the combination you try was never tested for SP2 but MAY work.

  • Leslie says:

    I am not able to log into lastpass from Chrome either. However I can log into lastpass from FF. I’m running WinXP SP3. I’ve also attempted installing the new certs using the zip file provided in this thread. In the chrome, when I check the certificate window (the one giving me grief) it has the following information:

    Issued to: lastpass.com
    Issueed by: thawte Extended Validation SSL CA
    Valid from: 3/12/2014 to 3/12/2016

  • Joe Siegrist says:

    If you can’t update to Windows XP service pack 3 for some reason or are using older Windows 2003 servers behind patches you can utilize this hotfix instead: http://support.microsoft.com/kb/968730

    • uxtyjc says:

      I can’t update to Windows XP service pack 3 for some reason. After downloading “968730”, it ask for service pack 3 installed first. So, no way to fix this issue. Any method else?

    • bug menot says:

      Yes, stop using Chrome and go back to Firefox. They have no interest in rewriting a key part of their browser just to support older OSes. I suspect that in a couple years it won’t even work on XP at all.

    • Yuhong Bao says:

      Yea, Joe Siegrist is incorrect in that there is no hotfix available for XP SP2 or older.

    • BanditQuest says:

      2 “bug menot”, well Google chose to use the SSL API provided by the OS for consistency across all platforms they support you would of thought they would go with the Open source SSL libraries for consistency. I would not judge it right or wrong maybe just the easy choice :-)

  • P_L says:

    Who has problems with the certificate put it http://support.microsoft.com/kb/968730

  • Also tried everything, the problem remains. Please fix this!

  • I have tried everything mentioned above, but on Chrome I still get the “SSL Malformed certificate: lastpass.com: thawte Extended Validation SSL CA” notice. No, I can´t share screen, so please just tell me, will you fix this mess or should I uninstall Lastpass forever.-

    • Amber Gott says:

      Are you able to get to https://thawte.com/ without any issues?

      If you try on Firefox, does it work?

      If the problems continue, please report to security[at]lastpass.com so we can continue to investigate.

    • Joe Siegrist says:

      This is a sign that you’re using Windows XP with a service pack less than 3!

      You need to immediately update your Windows XP to service pack 3, there’s a ton of known vulnerabilities that you’re unpatched for

    • Yes, thavte opens b.p., on Maxthone Lastpass works ok, warns about certificate, needs confirmation, than open
      and yes, XP SP2 only :/

  • P_L says:

    Yes downloaded installed all the certificates, the problem remains!
    In thawte Primary Root CA – G3 (SHA256) no certificate!
    Still there solutions?

  • P_L says:

    Does not descend into account in the browser Google Chrome (Invalid Server Certificate)

  • P_L says:

    Та же проблема не заходит на https://lasspass.com проблема с сертификатом!
    Кэш чистил и браузер обновлял!

  • Anonymous says:

    I check lastpass’s Facebook and spiceworks pages and I found, someone have posted same issue that I am having with lastpass, below I pasted that links. The snapshot same as my issue.



  • Anonymous says:

    I already done it the error is same. and also I reinstalled the chrome but still same error. however I can access other sites which use HTTPS.

  • Anonymous says:

    Try to clear your cache in Google Chrome

  • Anonymous says:

    Since few days I can’t access to the https://lasspass.com from chrome or ie,
    but it’s ok with firefox.

    chrome error says, “it’s a SSL Error” below I pasted full error message which is from chrome. As I know you are a good company but your chrome extension’s styling is bad don’t you have any good CSS developers.


    Cannot connect to the real lastpass.com

    Something is currently interfering with your secure connection to lastpass.com.

    Try to reload this page in a few minutes or after switching to a new network. If you have recently connected to a new Wi-Fi network, finish logging in before reloading.

    If you were to visit lastpass.com right now, you might share private information with an attacker. To protect your privacy, Chrome will not load the page until it can establish a secure connection to the real lastpass.com.

Get LastPass Now! Download