https://www.thesslstore.com/blog Mon, 20 Jul 2015 12:57:27 +0000 en-US hourly 1 http://wordpress.org/?v=4.2.3 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/ https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/#comments Mon, 20 Jul 2015 12:57:27 +0000 https://www.thesslstore.com/blog/?p=1841 As the internet evolved so did the ways in which we interact with it. Virtually every aspect of our daily lives have been mirrored on the Internet. When you login to your online banking portal you are entrusting that your … Continue reading

The post 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam appeared first on .

]]>
As the internet evolved so did the ways in which we interact with it. Virtually every aspect of our daily lives have been mirrored on the Internet. When you login to your online banking portal you are entrusting that your bank is safely and discretely managing your personal financial information – just as you would when you sit down with a bank employee in their office. With day-to-day life becoming increasingly dependent on using the Internet, a passive ability to detect fraudulent or fake websites becomes increasingly important.

Security is our number one priority at The SSL Store so our panel of Internet Security Specialists have assembled a list of good practices that you can implement starting today to improve your passive ability to detect fraud.

Tip #1: Pay Close Attention to the URL Requesting Your Credentials

Always check the URL in the address bar! Perhaps the most common phishing attack is performed by a phisher using a URL that closely resembles another URL. The primary element to access any website through the Internet is the URL, and it should be done in the proper manner in order to access the right website. If you have any doubts in a given URL when it has moved to another domain name such as in below case, you should contact the firm about their information.

FakeWebsite-Testing

Tip #2: Identify the layers of security such as trust seal, padlock, and green address bar, https:// protocol.

The most common tactic to steal online information or data is cloning the original website and asking for confidential information smartly from users. You must pay close attention to website content (ie. misspellings and grammatical errors) and check the various security layers such as website trust seal, https, site lock, etc. Shown below are two sites, one of which is using various layers of security (pictured left) and the other site is not using any layers of security (pictured right).

Remember that your top priority it identifying who operates the website. Checking for these security layers are good indicators of a legitimate website, but on their own they do not prove it.

FakeWebsite-Testing2

Tip #3: Identify whether the site is using an expired SSL Certificate.
When SSL certificates expire, you may get awarning notifying you of the expiration, or you may notice the https text and padlock icon are crossed out in red. An expired SSL certificate can still encrypt your communication, but you can’t put much trust that the source is what it claims to be.

Expired SSL certificates are particularly susceptible to man-in-the-middle attacks. Due to this vulnerability, contacting the firm directly to complete the transaction is suggested, as the validity of certificate has been compromised.

FakeWebsite-Testing3

Tip #4: Identify whether the site is using an EV SSL Certificate.

Sites that use Extended Validation (EV) SSL show a green address bar featuring the legally registered company name and country. This obvious visual cue takes the guesswork out of identifying legitimate websites. Shown in the image below are two sites; one that is using an Extended Validation certificate (pictured right) and one without (pictured left),
FakeWebsite-Testing4
Extended Validated Websites are firms on that have been validated by a 3rd party authentication process, and are authorized for having secure business transactions over the Internet. Because of the strict checks required by EV (Extended Validation) SSL, it is very hard for a fraudulent user to obtain one.

Tip #5: Learn to Spot the Telltale Signs of a Secure Site.
At minimum, it should have a URL that starts with https://, and it should have a padlock icon in the browser address bar – NOT on the site’s page. These show the site is protected with Secure Sockets Layer (SSL), a cryptographic protocol that provides communication security.
FakeWebsite-Testing5

You should follow all of the tips above when trying to detect fraud:

  • Check the expiration date of a sites SSL certificate.
  • Be sure https:// security protocol is enabled.
  • Look for the padlock in the browser frame.
  • Keep an eye out for the websites trust seal before providing any personal information.

The post 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam appeared first on .

]]>
https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/feed/ 0
2015 Technology Trends, their Security Risks & Safety Tips https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/ https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/#comments Mon, 13 Jul 2015 06:32:54 +0000 https://www.thesslstore.com/blog/?p=1829 According to reports conducted by various research and technology firms, 2015 will be continuing many of 2014’s innovations and disruptive technologies. The entire technology landscape is forcasted to triple with more mobile apps and devices entering into the market. Data … Continue reading

The post 2015 Technology Trends, their Security Risks & Safety Tips appeared first on .

]]>
PCI SSL Protocol
According to reports conducted by various research and technology firms, 2015 will be continuing many of 2014’s innovations and disruptive technologies. The entire technology landscape is forcasted to triple with more mobile apps and devices entering into the market. Data center traffic is expected to reach more than 600 exabytes per month. Just in case you didn’t know, 1 exabyte is equivalent to10,000 terabytes.

Then there are self-driving cars, bendable displays, air-charged batteries, holographic teleconferencing, wearable mobile devices, and 3D printing breakthroughs. These are just a few technology trends that people are looking out for this 2015, with many more innovations expected to enter the market throughout the year.

Together with these exciting events also come worrisome security threats that have not been dealt with properly in the past or are being driven by the latest innovation. For instance, trust flaws in IPv4 that are still existing in IPv6 may be capitalized on by cyber criminals.

A shift from BIOS to rich boot environments such as UEFI can result in new type of attacks from rootkits and bots as well. As technology becomes more popular and pervasive, so does its potential to create problems when mishandled and mismanaged.

Mobile Apps, Payment and Devices

Gartner is predicting that the sales of both tablets and smartphones could reach up to 385 million units in 2015. With that in mind, there will be a need to serve all those users in diverse contexts and diverse environments. With the rapidly expanding market of mobile devices, there’s also an ever expanding question of the security of those devices. At the moment the majority of malware that’s built for the devices is targeted primarily at Android, but that could change over time.

Luckily, there’s a few obsticales that are circumventing the widespread proliferation of malware into the market. One of those obsitcales is validated application delivery which is making the installation of malware quite difficult. Other obsticales include, address space layout randomization (ASLR), sandboxing and automatic updates; making mobile platforms difficult to target. Nevertheless, the popularity of this platform may push cyber criminals to innovate as well, commercializing the industry of non-PC hacking.

Over the past few years, there’s been an increase on attacks targeting mobile payment systems. This led to the development of security features that are built to prevent theft. Some of those very same security features are the same ones that are actually posing as possible threats in the future.

There is an increase in attack on mobile payment systems, but at the moment cyber criminals are continuing to focus their abuse on traditional credit and debit cards since they are easier targets for now.

Internet of Things (IoT)

The scenario where objects such as appliances and devices are able to transfer data over a network without human intervention is part of a concept coined the “Internet of Things”. With this advancement it will be possible to make our everyday objects more connected – which comes with upsides and downsides. Digitizing everything into data streams is creating new requirements as well as services.

Unfortunately, evidence shows that many IoT device manufacturers have neglected to implement basic security standards. Attacks on these devices can have a real nasty impact. Worse, the vendors may not have the distribution infrastructure for timely updates to correct lapses. Like the mobile platform, attackers may begin onto venture on IoT platforms as these devices multiply.

Cloud Architecture

Both cloud and mobile computing is promoting the growth of centralized applications that can retrieve and sync data across multiple devices. This synchronization is delivering the same experience across all devices, and allows users to pickup where they left off.

While many of these cloud services state that they’re using encryption to retrieve and sync the data. There’s been some evidence that has proved that of these services aren’t actually implementing encryption correctly. One example of such is by not enabling Certificate Pinning in SSL, because of this, the experience isn’t necessarily secure or private to the outside world.

Web-scale IT

Web-Scale IT is a philosophy that organziations will begin adopting as they begin to think, act, and build both applications and infrastructure for the future. According to Gartner, this will happen slowly, as commercial hardware becomes ready to drive their cloud based needs and software.

However it’s become clear that as more organizations deploy their hardware and software to the cloud, that the security used to protect such devices and applications aren’t up to snuff. Many organizations are having a hard time finding candidates that have experience with cyber security or even the skill set.It’s now widely accepted that the edge defense approach towards security is no longer an option. Organizations are finding it quite difficult to provide a secure environment across everything not only within, but also externally as well.

Not to worry however, we’ve gather together a helpful few tips that can help you stay secured and safe while online.

Top 5 Tips of 2015 for Online Security

1 Update, Update, Update!

This is something we cannot stress enough to secure our online data. Numerous websites are compromised every day due to using outdated software and technology to run them. It is very important for every online business to update their website as soon as new plugin or CMS version is available. Unless you are running a website firewall like Cloud Proxy, you’ll need to update as soon as updates are released.

2.Make Your Password Strong Enough

SplashData’s annual list compiles the millions of stolen passwords made public throughout the year and assembles them in order of popularity. Here is the 25 most common passwords of 2014 which is already stolen and hackers get the all the information easily by using those common passwords. It is clearly indicated to us that when it comes to choosing a password there are 3 key requirements that should always be followed: complex, long , and unique.

Another good function to look into is “2FA” – or Two Factor Authentication. This is a mechanism for logging into an account that leverages a password as well as another method, such as an email confirmation or a secret code sent via text message.

3.Never Host More Than One Site on a Single Server

Majority people in the online world fall victim to choosing the “Unlimited Hosting” plan for their online business and end up hosting all their various sites on a single server. Unfortunately this is one of the worst security practices we commonly see. Hosting many sites in the same location creates a very large attack surface.

For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets.

To make matters worse, once an attacker has found an exploit on one site, the infection can spread very easily. Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. After the cleanup is successful, you now have a much larger task at hand when it comes time to recover from the attack. So it’s better if you can use one hosting server for each website.

4.Server Configuration Files

You should really get to know your web server configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config. Most often found in the root web directory, these files are very powerful and quite confusing. It’s these files that allow you to execute server rules, including directives that improve your website security.

Here are a few rules that I recommend you research and add for your particular web server:

  • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution.
  • Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
  • Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text.

5.Install SSL Certificate

An SSL Certificate isn’t required, but it’s highly recommended as more users are connecting and transmitting data. The reason for getting an SSL Certificate installed on your website is that it’ll be encrypting any transmitted information to and from your server. Even basic data can be used to identify you or your site’s users and its important to provide them with security. Just think of all the personal information that could be at risk of being stolen and used.

An SSL Certificate is especially important for E-Commerce sites and other related sites that accepts form submissions with sensitive user data or Personally Identifiable Information (PII).

The post 2015 Technology Trends, their Security Risks & Safety Tips appeared first on .

]]>
https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/feed/ 0
New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/ https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/#comments Fri, 12 Jun 2015 04:41:29 +0000 https://www.thesslstore.com/blog/?p=1811 New guidelines dictating the requirements for PCI Compliance, version 3.1 of PCI Data Security Standards (PCI DSS), were released in April. These guidelines must be followed for all companies who take payments over the Internet. A key part of the … Continue reading

The post New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 appeared first on .

]]>
PCI Standards Require Abandoning SSL 3.0 and TLS 1.0

New guidelines dictating the requirements for PCI Compliance, version 3.1 of PCI Data Security Standards (PCI DSS), were released in April. These guidelines must be followed for all companies who take payments over the Internet. A key part of the new PCI DSS are stricter requirements around the use of TLS (SSL).

PCI DSS v3.1 states that SSL 3.0 and TLS 1.0 “can no longer be used as a security control after June 30th, 2016.” This means that disabling these protocol versions is required in order to be compliant with handling sensitive cardholder data.

Any time we discuss protocols, we like to remind our readers that the true name of the modern protocol is Transport Layer Security (TLS), not SSL. The most recent version of the protocol is TLS 1.2, and the last version to be released under the name “SSL”, was SSL 3.0 way back in 1996.

After the POODLE attack discovered late last year, SSL 3.0 was effectively retired. The newest versions of most modern browsers no longer support SSL 3.0, and everyone should check their servers to make sure they have disabled support for that insecure protocol.

Disabling protocol versions is easy – once you locate where your server stores the configuration settings for SSL, it takes less than a few minutes to update. The hard part of meeting these requirements will be to make a risk assessment of your user base to determine if removing TLS 1.0 support will be problematic.

Remember that PCI DSS dictates technical requirements and procedures for servers that are directly handling user payment information, personal records, and administrative access. So if you do not take payments directly – but instead use a provider such as Paypal, Authorize.net, or Square, you may not have to be PCI Compliant. For companies who do handle payments directly, it’s not necessarily required to make these changes network wide. For many networks and companies this will ease compliance.

So, if you are affected by these changes, how much time do you have?

The deadline for ending support for SSL 3.0 and TLS 1.0 is June 30th, 2016, just about a year from now. However this comes with some caveats. “Effective immediately, new implementations must not use SSL or [TLS 1.1],” and existing implementations must have a “formal Risk Mitigation and Migration Plan in place.”

So while the hard deadline on abandoning these old SSL protocols is about 12 months away, the easiest option will be to migrate from these protocol versions now.

The PCI Security Standards Council suggests you only support TLS 1.2 for optimal configuration. This is because all protocol versions except for TLS 1.2 are vulnerable, though you may find users’ devices do not support this version so for practical versions this may not be possible. If you do keep TLS 1.1 enabled, make sure you optimize your configuration to avoid potential security flaws.

If you or your clients handle user data which requires PCI compliance, you will want to consult directly with their new PCI DSS v3.1 Standards, available here:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

A summary of the changes specifically affecting SSL are available here:
https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

The post New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 appeared first on .

]]>
https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/feed/ 0
Symantec Increases Pricing for SSL Certificates in Japan https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/ https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/#comments Tue, 14 Apr 2015 05:17:01 +0000 https://www.thesslstore.com/blog/?p=1819 On April 14th, 2015, Symantec officially announced increased prices for their brands of SSL Certificates. As The SSL Store™ is a top web security partner of Symantec, we informed our Japan-based customers and partners that we also have to comply … Continue reading

The post Symantec Increases Pricing for SSL Certificates in Japan appeared first on .

]]>
On April 14th, 2015, Symantec officially announced increased prices for their brands of SSL Certificates. As The SSL Store™ is a top web security partner of Symantec, we informed our Japan-based customers and partners that we also have to comply with this new regulation and adjust our pricing for SSL certificates with .JP domain names.

Symantec Japan

When you purchase an SSL Certificate, our system will now require an extra surcharge when you go to create a CSR and your domain name contains a .JP or administrative, billing or organizational address located in Japan. This is mandatory for all Symantec partners around the world.

There’s No Surcharge If Your Website Is Hosted In Japan

International domain names that are hosted in Japan are not affected and won’t incur any additional surcharge. You may continue to place an SSL Certificate order for your international domain name hosted in Japan, without any surcharge being applied to your order.

Customer FAQs for New Symantec Japan Pricing:

  1. Why is Symantec Increasing their Japan Pricing for SSL Products?
  2. Symantec advised their partners that the pricing would be aligned and adjusted to encourage and reward in-market focus, investment, and support for all Symantec SSL Certificates sold to Japan.

  3. Which SSL Brands are affected by this new Japan pricing announcement?
  4. All RapidSSL, GeoTrust, Thawte and Symantec products have new Japan pricing.

  5. What happens if I order an SSL Certificate for Japan but do not select the Japan Region?
  6. When you begin to configure your SSL Certificate, we check the above criteria. If you have not selected the Japan Region when ordering, our system will prevent you from completing the configuration of your certificate. You will then need to contact us to arrange either a refund or to adjust your order to the new pricing.

  7. Is The SSL Store™ will offer Price Match Guarantee to Japan Customers?
  8. As one of the largest SSL Certificate providers globally, The SSL Store™ sets the standard in offering a high quality SSL Certificate service and has adjusted its retail pricing structure to reflect fair and reasonable pricing. If you have found another supplier offering Japan pricing cheaper, we’ll match it.

  9. Does this New Pricing Also Affect Additional SAN (Subject Alternative Domain Names) and Code Signing Certificates?

Yes, you will need to pay an extra surcharge for additional SAN purchases if your domain name contains a .JP extension. And yes, Symantec Code Signing and Thawte Code Signing certificates are also affected by the new Japan pricing.

The post Symantec Increases Pricing for SSL Certificates in Japan appeared first on .

]]>
https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/feed/ 0
Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/ https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/#comments Fri, 20 Mar 2015 09:40:42 +0000 https://www.thesslstore.com/blog/?p=1759 The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and … Continue reading

The post Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. appeared first on .

]]>
The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.

Symantec-Free-San

Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.

As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.

Here are the 3 use case for Symantec SSL certificates:

  • When you enroll with Common Name as www.name-of-site.com , Symantec SSL now automatically secures and adds the non-www version of the same domain (name-of-site.com) as a SAN for free.
  • When you enroll the Common Name as name-of-site.com, Symantec will automatically add www.name-of-site.com as a free SAN.
  • For a wildcard certificate: When the enrolled Common Name is *.name-of-site.com, Symantec will automatically add name-of-site.com as a free SAN.

Details/Examples:
1) When the Common Name is www.name-of-site.com

Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

TLD Domain Types Example of Domain Names Add base domain as a SAN value?
1-­‐level TLD (such as a gTLD) www.domain.com Yes –add domain.com
1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
2-­‐level TLD(such as a ccTLD) www.domain.co.uk Yes – add domain.co.uk
2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
Internal host/IP server.local No

2) When Common Name is domain.com

Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

TLD Domain Types Example of Domain Names Add base domain as a SAN value?
1-­‐level TLD (such as a gTLD) domain.com Yes –add www.domain.com
1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
2-­‐level TLD(such as a ccTLD) domain.co.uk Yes – add www.domain.co.uk
2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
Internal host/IP server.local No

3) When Common Name is *.domain.com (Wildcard SSL)

Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

TLD Domain Types Example of Domain Names Add base domain as a SAN value?
1-­‐level TLD (such as a gTLD) *.domain.com Yes –add domain.com
1-­‐level TLD (such as a gTLD) *.subdomain.domain.com No
2-­‐level TLD(such as a ccTLD) *.domain.co.uk Yes – add domain.co.uk
2-­‐level TLD(such as a ccTLD) *.subdomain.domain.co.uk No
Internal host/IP *.server.local No

The following SSL products of Symantec are enhanced from this change:

Symantec Thawte GeoTrust
Secure Site Pro with EV SSL Web Server with EV True BusinessID with EV
Secure Site with EV SGC Supercerts True BusinessID
Secure Site Pro SSL Web Server ———-
Secure Site Wildcard SSL Web Server Wildcard True BusinessID Wildcard
Secure Site SSL SSL123 (DV But Allow) ———-

*GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.

The post Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. appeared first on .

]]>
https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/feed/ 0
Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/ https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/#comments Tue, 20 Jan 2015 04:00:29 +0000 https://www.thesslstore.com/blog/?p=1753 If you have ever flown on a US airline, chances are you have seen an advertisement for an in-flight Wi-Fi service provided by Gogo. While Gogo is certainly appealing to most travelers in this day and age, a revelation has … Continue reading

The post Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic appeared first on .

]]>
If you have ever flown on a US airline, chances are you have seen an advertisement for an in-flight Wi-Fi service provided by Gogo. While Gogo is certainly appealing to most travelers in this day and age, a revelation has come to light recently about this service that you should probably be aware of.

gogo_inflight_internet

This past week, Adrienne Porter Felt, a security engineer at Google, discovered that Gogo was using a fraudulent certificate in place of Youtube.com’s real SSL certificate. The certificate was a self-signed certificate issued by Gogo, being used in combination with a proxy server. This was easy to spot because of SSL security measures in place that prevents connections from being established with a certificate issued by an untrusted provider.

The purpose of this behavior is to insert their own proxy server between the user and Youtube.com, known as a “man in the middle attack” (MITM). By performing a MITM attack, Gogo was able to view user’s data unencrypted, for the purpose of throttling or blocking connections to the bandwidth-intensive video streaming site.

Making sure users are not violating policy is fairly standard for Internet service providers. Because SSL encrypts internet traffic, it makes it harder for providers to monitor and restrict access on their networks. However by MITMing traffic to Youtube, Gogo has stepped far over the boundaries of acceptable behavior, especially given available alternatives which protect user privacy.

This is especially troubling given Gogo’s history. Neowin.com reports that “earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce ‘capabilities to accommodate law enforcement interests’ that go beyond those outlined under federal law.”3

We hope it goes without saying, but just to be clear, The SSL Store™ does not support this action, or any other action(s) which undermine SSL security and user perception of security.

For more on this story, please see this excellent write up by Rick Andrews of Symantec at CASecutiy.org.

 

 


3 http://www.neowin.net/news/gogo-inflight-internet-is-intentionally-issuing-fake-ssl-certificates

The post Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic appeared first on .

]]>
https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/feed/ 0
4 & 5 Year SSL Certificates Being Discontinued in 2015 https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/ https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/#comments Wed, 17 Dec 2014 05:36:45 +0000 https://www.thesslstore.com/blog/?p=1720 On March 1st, 2015, The SSL Store™ will discontinue offering SSL certificates with validity periods of 4 and 5 years. This is in accordance with new guidelines set forth by the Certificate Authority/Browser (CA/B) Forum, the governing body of the … Continue reading

The post 4 & 5 Year SSL Certificates Being Discontinued in 2015 appeared first on .

]]>
On March 1st, 2015, The SSL Store™ will discontinue offering SSL certificates with validity periods of 4 and 5 years.

This is in accordance with new guidelines set forth by the Certificate Authority/Browser (CA/B) Forum, the governing body of the SSL industry. This update will affect all SSL certificates in the industry, including the entire product catalogs of Symantec, Comodo, Thawte, GeoTrust, and RapidSSL. (EV certificates are already limited to a maximum of two years so they are not affected by this change).

Please note that any active 4 or 5 year certificate that are reissued after the March 1st, 2015 deadline will automatically be truncated to the new maximum duration permissible, which is 39 months. Any active 4 or 5 year certificate that is reissued before this deadline will be unaffected. Therefore, The SSL Store™ strongly recommends that any new SSL purchase be for no more than a maximum of 3 years, in order to avoid any lost time and money due to a reissue.

To help further prepare for this change, we have amended all of our product pages to include a new yellow drop down box that appears anytime a 4 or 5 year certificate is selected for purchase. The new drop down box briefly explains this new update and emphasizes that all 4 or 5 year certificates reissued after the March 1st deadline will be truncated to the new maximum industry standard of 39 months.

4To5 Yr option closed for SSLCertificates

Ultimately, this is good news for the SSL industry, as certificates with shorter lifespans make security updates much easier and more streamlined. So, recent updates like the SHA-2 upgrade, internal domain issuance, and more industry-wide enhancements that have become quite commonplace with SSL will be much less of a hassle.

Also, certificates with shorter lifespans will offer more in the way of security, as companies will have to reaffirm their identities in a more timely fashion. It goes without saying that trust and security are of paramount importance to the SSL market, so any effort to enhance either of these components is good for the overall health of the market.

We would advise all of our partners to begin informing their customers of this impending industry change. If you have any questions about deprecation of 4 and 5 year SSL certificates, please feel free to contact our Customer Experience department via support@theSSLstore.com, Live Chat on our website, or directly at +1 727-388-4240.

The post 4 & 5 Year SSL Certificates Being Discontinued in 2015 appeared first on .

]]>
https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/feed/ 0
10 Important Factors That Make Symantec™ SSL Certificates #1 https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/ https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/#comments Tue, 16 Dec 2014 04:00:23 +0000 https://www.thesslstore.com/blog/?p=1691 Symantec™ Corporation is a US-based internet security & technology company, founded by Gary Hendrix in 1982. It’s a global and publically traded company (NASDAQ: SYMC) dealing with many different sectors of the security industry, such as; anti-virus applications, data storage … Continue reading

The post 10 Important Factors That Make Symantec™ SSL Certificates #1 appeared first on .

]]>
Symantec™ Corporation is a US-based internet security & technology company, founded by Gary Hendrix in 1982. It’s a global and publically traded company (NASDAQ: SYMC) dealing with many different sectors of the security industry, such as; anti-virus applications, data storage & backup solutions, SSL certificates and other website security solutions.

As per W3Techs’s (Web Technology Surveys) report, Symantec™ Corporation is the top Certificate Authority (CA) with the largest market share of almost 37.3%.

Web-Technology-Surveys-Symantec-SSL1

Top 10 Reasons that Easily Make Symantec™ the #1 Choice:

Here are the few important factors to consider about Symantec™ before choosing an SSL certificate provider.

  1. SSL Industry Leader: *****
    Symantec

    • Back in 2010, Symantec™ acquired the identity and authentication business from VeriSign™ which was the leader in SSL & Code Signing Certificate services at the time.
    • With a market share of more than 37.3%, Symantec™ was able to leverage the power of Symantec™ and Norton brands to become the SSL security giant they are today with highest number of satisfied certificate customers spread all over the world.

  2. #1 Encryption and Cryptography Technology: *****

    Symantec™ offers industry-standard SSL certificates all with a 2048-bit length and a strong encryption key length of up to 256-bit, as well as the latest and greatest encryption technology called ECC or Elliptic Curve Cryptography, which is stronger, lighter and faster. There also premium features included with all of the Symantec™ branded certificates, such as a daily vulnerability assessment and malware scanner that ensures high-level website security on multiple fronts. It not only offers trusted & safe communication, it highly improves a users’ trust and confidence to further enable sharing sensitive information or engagement on a website.

    All Symantec™ SSL certificates are powered with the SHA-2 hash algorithm. It consists of a set of 6 hash function and carries hash values of 224, 256, 384 or 512-bits, which makes it very difficult for any hacker to even come close to breaking.

  3. Offers a Multi-Purpose Solution: *****

    Whether it is a question to secure small/medium/large scale website, a software/file/application, an e-commerce website or a website with multiple domains and sub-domains, Symantec™ has a perfect security solutions for all of the scenarios.

    Symantec™ offers:

    • Strong SSL encryption to protect any small/medium/large website, including the one-and-only ECC signed certs.
    • Code Signing certificates to protect code on any software, files and applications.
    • EV SSL certificates to secure & display security for e-commerce websites and online business transactions
    • Wildcard certificates to cost-effectively protect websites with multiple sub-domains and SAN SSL certificates to secure the multiple domain websites.
    • Vulnerability scanning & malware detection to take website security even further.

  4. Unprecedented Brand Power & Recognition: ****

    Symantec™ happens to own one of the most globally recognized internet security brands known to the world, Norton™. They were able to leverage this brand power and awareness established from the leading anti-virus software, Norton™ Anti-Virus, right into the SSL industry to help people actually know that they are on a safe & secure site protected by an established & trusted brand.

  5. A Fast Verification Process: ****

    Symantec™ offers one of the fastest and stream-lined verification processes.

    Once you’re done placing the order and sending the necessary documents to Symantec™, their highly experienced team will quickly be able to navigate through all of your documentation, to quickly issue your SSL certificate and have it ready for you to install it on your server.

  6. 24/7 Live Support form Experts: *****

    Compared to other Certificate Authorities (CAs), Symantec™ is leaps and bounds ahead of them when it comes to providing quick and responsive customer care & support if the need arises.

    Symantec™ provides:

    • Phone Support
    • Live Chat Support
    • E-mail Support
    • Quick SSL Installation Guides.
    • Social Media Support






    Symantec™ has a team of expert support representatives, who promptly assist their customers 24/7 via phone call, e-mail and live chat.

    Symantec™ also provides access to quick SSL installation guides to help users troubleshoot any SSL errors instantly.

    Customers can also directly reach out to Symantec™ by using various Social Media platforms. Their social media support team is active at all hours of the day.

  7. Eliminates Browser Security Alerts and Pop-up Messages: *****

    Symantec™ SSL certificates are designed to not only effectively secure websites, but to also to eliminate browser errors. This way, when a user logs on to a website protected by Symantec™ SSL certificates, the browser runs the website without displaying any browser errors or warnings.

    If a software/application/file is protected with a Symantec™ Code Signing certificate, end-users won’t see pop-up error messages on any web-based or mobile based platforms during the installation process.

  8. Compatible with Modern Browsers: *****

    Symantec™ is committed to giving complete digital security for website/server/software. Whether it’s an older version browser or modern web browser, Symantec™ SSL certificates are highly compatible with all browsers including mobile browsers. Symantec has the best browser and mobile public root ubiquity of all CAs, which will enable an organization to better implement Always On SSL.

  9. Industry-Best Extended Warranty: *****

    Symantec™ is so confident about their encryption strength and infrastructure of its entire business and SSL product-line, it offers an unmatched and extremely high warranty amount to further enhance user-confidence and trust. If your website is protected with Symantec™ SSL certificate and somehow fails as a result of their mishandling or wrongdoings, Symantec™ and as per their company policy, will cover transactions affected up to the specified warranty amount. Their warranties are as high as $1,750,000, which is by far the largest in the industry.

  10. Advanced SSL Tools: *****

    Symantec™ offers advanced SSL tools for all of their customers, which helps install SSL certificates and check a detailed status of their SSL certificates.

    Symantec™ SSL Tools

    1. CSR Checker

      When you start installing your SSL certificate on the server, you first need to generate a CSR (Certificate Signing Request) for your server. After generating a CSR, you must check whether it will work for you. This ‘CSR Checker’ helps you to check the CSR that you have generated.

    2. SSL Checker – To check the installation of SSL certificate.

      After installing an SSL certificate on your server, you must check if it was installed properly. This SSL Checker tool helps the users check the installation and status of your SSL certificate.

Conclusion:

In the wake of daily cyber-crimes, website security is a major concern for all web users. And after reading all the above factors, we can surely say that Symantec™ is the ultimate solution for securing websites, online business transactions, customers’ sensitive information and also for securing code for software/applications/files.

The post 10 Important Factors That Make Symantec™ SSL Certificates #1 appeared first on .

]]> https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/feed/ 0 Limited POODLE Attack Resurfaces in TLS https://www.thesslstore.com/blog/limited-poodle-attack-resurfaces-tls/ https://www.thesslstore.com/blog/limited-poodle-attack-resurfaces-tls/#comments Thu, 11 Dec 2014 08:34:18 +0000 https://www.thesslstore.com/blog/?p=1710 Back in October, we published an extensive article about an attack called POODLE that affected old versions of the SSL protocol (specifically, SSL 3.0). This attack had the potential to affect nearly 98% of the Internet, as many servers still … Continue reading

The post Limited POODLE Attack Resurfaces in TLS appeared first on .

]]>
Back in October, we published an extensive article about an attack called POODLE that affected old versions of the SSL protocol (specifically, SSL 3.0). This attack had the potential to affect nearly 98% of the Internet, as many servers still supported this older version of the protocol.

poodle-vulnerability

But now it has been revealed that POODLE is back, this time with the ability to affect even the newest version of the protocol1.

Any time we visit the topic of SSL protocol attacks, we should remember this brief history lesson about SSL naming nomenclature: The earliest versions of the protocol were named SSL 2.0 and SSL 3.0. Then, in 1999, the next version of the protocol was renamed to TLS 1.0. Since then, all new versions have been named TLS, for Transport Layer Security, rather than Secure Socket Layer. Today, the newest version is TLS 1.2.

The POODLE attack was previously thought to only work on SSL v3.0 because it took advantage of a flaw where a section of the message (specifically, the message padding) could be changed by an attacker; this was due to under-specification of the early protocol. Successors to SSL 3.0 have since corrected this. However, some implementations of these new protocols may be vulnerable. This is because while the specifications of TLS 1.1 and 1.2 require that the message padding be verified, it’s impossible to ensure all implementations follow this rule, and clients (web browsers) cannot effectively check for this2.

Security researchers Brian Smith and Adam Langley have been quietly working since October3 , confirming the suspicion that the POODLE attack could be used on other versions of the SSL protocol. They found a few notable vulnerabilities on enterprise-level hardware, specifically devices made by two network equipment companies, F5 and A10.

The good news is that this new vulnerability is estimated to affect under 10% of servers.4 Unlike the first round of POODLE, this vulnerability is not due to a flaw in the protocol specification, but in specific implementations of it.

This attack can be executed with similar efficiency as POODLE with SSL 3.0, however with a much smaller number of potentially affected targets. Remember that both POODLE attacks require an active network attacker, the ability to inject JavaScript into a client’s browser, and only require around 4096 requests on average to succeed (this may sound like a lot, but it is quite practical to achieve).

This time around, a much smaller group of servers are affected and we believe these will be quickly patched by the server administrators who attend to them. F5 and A10 have released patches today for their devices which solve this issue. If you are affected by this please visit this page for F5 devices and this page for A10 to get the relevant patches and information.

 


  1. https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
  2. https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
  3. https://www.imperialviolet.org/2014/12/08/poodleagain.html
  4. See the final paragraph in this article, where Ivan Ristic says the latest SSL Pulse statistics reveal 10% of servers were vulnerable.

The post Limited POODLE Attack Resurfaces in TLS appeared first on .

]]>
https://www.thesslstore.com/blog/limited-poodle-attack-resurfaces-tls/feed/ 0
SAN/UCC SSL Certificates Will Not Work for Internal Domain Names after November 1, 2015 https://www.thesslstore.com/blog/san-ucc-ssl-certificates-no-longer-work-for-internal-domain-names/ https://www.thesslstore.com/blog/san-ucc-ssl-certificates-no-longer-work-for-internal-domain-names/#comments Thu, 27 Nov 2014 06:54:15 +0000 https://www.thesslstore.com/blog/?p=1655 Are you shocked after reading the headline? Yes, it is true that ALL (SAN/UCC) SSL Certificates will not work for internal server domain names from 1st November, 2015. As per the CA/Browser Forum (CA/B), the regulatory body that governs the … Continue reading

The post SAN/UCC SSL Certificates Will Not Work for Internal Domain Names after November 1, 2015 appeared first on .

]]>
Are you shocked after reading the headline? Yes, it is true that ALL (SAN/UCC) SSL Certificates will not work for internal server domain names from 1st November, 2015.

CA/B Forum

As per the CA/Browser Forum (CA/B), the regulatory body that governs the SSL industry, one of the new changes is the elimination of certificates for internal names. This change makes it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as owned by the organization that is requesting the certificate after 2015.

This does not mean you can no longer use SSL certificates for internal use. Internal websites and networks simply need to transition to using delegated domain names or registered IP addresses. For instance, “mynetwork.internal” cannot be reliable verified to be owned by only one company or party. Therefore it is a security risk to have multiple certificates issued out to that same domain. If your internal network is on a similar internal name, it just needs to be transitioned to a registered domain name, such as “mynetwork.com”. That domain does not need to resolve in the public DNS, or go to a publically available page.

The CA/B forums new requirements also disallow internal domain names in the Subject Alternative Name (SAN) extension. If Certificate applications do include a disallowed domain, often times the CA can automatically reject the order or notify the applicant that the use of internal name has been depreciated.

So to summarize, Certificate Authorities shall not issue a certificate with an expiry date later than 1 November 2015. Certificates with validity periods past that date may also be forced to lose their internal names they next time they reissue.

Here is some quick FAQ Answers for Your Basic Questions:

What is SAN/UCC SSL Certificate?

How Multi Domain SSL Work

SSL Certificates that you can and can’t use to secure your internal domain names or Internal Server Names likes:

No longer allowed:

  • mycompany.internal
  • mycompany.priv
  • mail.mynetwork.server
  • 192.168.1.1





Use these instead:

  • www.mycompany.com
  • mycompany.com
  • www.mycompany.net
  • mail.mycompany.com





What Is Internal Server Name?
An internal name is a domain or IP address that not actually registered. Common examples of internal names are:

  • Any server name with a non-public domain name suffix. For example, www.company.local or server1.company.internal.
  • NetBIOS names or short hostnames, anything without a public domain. For example, Web1, ExchCAS1, or Frodo.
  • Any IPv4 address in the RFC 1918 range.
  • Any IPv6 address in the RFC 4193 range.





What You Need to Do?

If you have multi server names and want to secure them with trusted SSL Certificates then you need to reconfigure all those servers to use a public name. Some exceptions can be made if you need more time to transition, for these cases please contact us directly. All internal connections that require a publicly-trusted certificate must be done through names that are publically delegated and verifiable (it does not matter if those services are publicly accessible).

How to Redirect Internal Names to use a Registered Domain Names?

If you are using a single SSL Certificate to secure your internal domain names for your Exchanges Server for your internal communication then you will need to make all the internal domain names to public domain names to use SSL Certificates.

To reconfigure your domain to use only the external domain name you have a couple of options. If you are using Active Directory you can migrate an internal Active Directory domain to a registered External name. This will change the internal FQDN of your Exchange Servers so they will reroute to a valid subdomain of your registered external domain(e.g. change from Server01.yourcompany.internal to Server01.yourcompany.com) allowing you to use a SAN certificate or UCC Certificate to secure these names.

Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems.

Redirecting your Exchange Server to use the External DNS Name

To update your Exchange 2007 or Exchange 2010 server you will need to run the following commands from the Exchange Management Shell and replace the Server running the Client Access Role with your external domain name. These commands update the URL for the Auto discover service, Exchange Web Services (EWS) and the OWA Web-based Offline Address book respectively.

Before running these commands you will just need to check make sure a DNS record exists mapping the IP Address to the Exchange Client Access (CAS) server.

Note: Each of these commands below should be run on a single line in the Exchange Management Shell (EMS):

  1. Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri
  2. Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml
  3. Set-WebServicesVirtualDirectory -Identity “HostName\EWS (Default Web Site)” -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx
  4. Set-OABVirtualDirectory -Identity “HostName\oab (Default Web Site)” -InternalUrl https://mail.yourdomain.com/oab



Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

  1. Open IIS Manager by clicking Start, then enter inetmgr.
  2. Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle



The Last Word:

Please Contact Our SSL Experts to “Resolve” your SAN/ UCC SSL Certificate issue

The post SAN/UCC SSL Certificates Will Not Work for Internal Domain Names after November 1, 2015 appeared first on .

]]>
https://www.thesslstore.com/blog/san-ucc-ssl-certificates-no-longer-work-for-internal-domain-names/feed/ 0