https://www.thesslstore.com/blog Mon, 24 Aug 2015 10:12:18 +0000 en-US hourly 1 http://wordpress.org/?v=4.2.4 The Real Truth About TLS Vs SSL- The Difference May Surprise You! https://www.thesslstore.com/blog/the-real-truth-about-tls-vs-ssl-the-difference-may-surprise-you/ https://www.thesslstore.com/blog/the-real-truth-about-tls-vs-ssl-the-difference-may-surprise-you/#comments Mon, 24 Aug 2015 10:11:41 +0000 https://www.thesslstore.com/blog/?p=1858 When you are researching SSL Certificates, or if you already work with SSL (Secure Sockets Layer) to secure your online business, websites or any communication, you may come across another secure communications protocols: TLS (Transport Layer Security). The majority of … Continue reading

The post The Real Truth About TLS Vs SSL- The Difference May Surprise You! appeared first on .

]]>
When you are researching SSL Certificates, or if you already work with SSL (Secure Sockets Layer) to secure your online business, websites or any communication, you may come across another secure communications protocols: TLS (Transport Layer Security).

The majority of people who are connected with online business know SSL provides a secured, encrypted communication between a client and a server. But you may be wondering what TLS is, and scratching your head about the difference.

PCI Standards Require Abandoning SSL 3.0 and TLS 1.0

Luckily, the truth is simple. TLS is simply a newer name for SSL. TLS was first introduced in 1999 as an upgrade to SSL Version 3.0 and was written by Christopher Allen and Tim Dierks. As stated in their original paper, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0″.

So in reality when you are talking about SSL today, you should really be saying TLS instead. However, the majority of people still say SSL instead of TLS and that’s why all major brands likes Symantec, Thawte, Comodo, and GeoTrust didn’t change the names of their products from SSL Certificates to TLS certificates; and software that enables SSL on a server, such as OpenSSL, didn’t change their name to OpenTLS.

The certificates themselves have been expanded over time to support all the versions of SSL and TLS, so you don’t need to worry that you may be buying an incompatible certificate.

Is SSL itself really dead?

No, not completely. However it should be. Let’s explain…

Overall there are 5 different versions of SSL and TLS. They each made improvements on the version before it. However, not all computers and servers support all 5 versions, so a key part of setting up a secure connection is having the client and server agree on which protocol to use. When the client establishes the connection with the server there is a process called a “handshake” where the client and server choose the protocol version. In some cases a lack of mutual support will result them in using an older protocol, such as SSL 3.0.

While we still talk about SSL and TLS as if they are the same, there are major technical differences between the newest version of TLS (which is Version 1.2) and the last version of SSL that was released (which was SSL 3.0). So using SSL 3.0 today can be dangerous.

Most devices now support TLS, however there is a way to force a connection to use the older and insecure SSL versions known as a “downgrade attack”. Unfortunately, SSL 3.0 has weaknesses that hackers can exploit, giving them the incentive to try to force servers to downgrade to SSL 3.0

That being said – you shouldn’t worry too much. Supporting the most modern, secure versions of SSL is simply a matter of updating your server configuration. All SSL Certificates are capable of using any protocol version of SSL or TLS – so that’s not something you need to worry about when shopping for a certificate.

How can old versions of the SSL protocol be used to weaken Internet security?

In 2014, researchers at Google disclosed the ‘POODLE’ vulnerability, which could allow attackers to decrypt encrypted connections to websites that use the SSL 3.0 protocol using a “man in the middle” attack – a popular way to intercept data.

This is where the hacker inserts a process in between the client and server through which their communication passes through, allowing the hacker to listen in on a private communication. The hacker may also be able to redirect the client to a web site controlled by the hacker where the hacker will infect the client with malware and/or commit financial fraud.

The ‘Coffee shop” attack is the perfect example of a “Man in the Middle” attack. In this case, a hacker who is seating in the coffee shop, and he set up a laptop to broadcast a WiFi signal that looks the same as the “Coffee Shop’s WiFi”. The victim then carelessly connects to the hacker’s WiFi signal instead of the Coffer Shop WiFi and then all of the victim’s traffic is now available to the attacker to intercept and record. This type of attack would usually be stopped if the connection was encrypted. However, with the POODLE vulnerability, it would be theoretically possible to decrypt some data from sessions that are secured with SSL 3.0.

Fortunately, there is a simple solution: SSL 3.0 can be disabled on a server and/or in the client’s browser. If either party does not support the insecure version, there is no way to “fall back” to SSL or execute the attack.

You can check to see if a web site has SSL 3.0 enabled as follows: Enter your website URL at:
https://sslanalyzer.comodoca.com. Sites with SSL 3.0 will be reported as ‘Vulnerable to the POODLE attack’ you can check to see if your browser has SSL enable at the following web site: https://www.poodletest.com/

The post The Real Truth About TLS Vs SSL- The Difference May Surprise You! appeared first on .

]]>
https://www.thesslstore.com/blog/the-real-truth-about-tls-vs-ssl-the-difference-may-surprise-you/feed/ 0
Extended Validation SSL Certificates Secure Your Online Business with Strong Encryption https://www.thesslstore.com/blog/extended-validation-ssl-certificates-secure-your-online-business-with-strong-encryption/ https://www.thesslstore.com/blog/extended-validation-ssl-certificates-secure-your-online-business-with-strong-encryption/#comments Fri, 07 Aug 2015 06:57:11 +0000 https://www.thesslstore.com/blog/?p=1850 If you have a business that relies on ecommerce transactions, you want to ensure that customers feel confident about the safety of their online purchase with your organization. Not only is it a matter of providing good customer service, but … Continue reading

The post Extended Validation SSL Certificates Secure Your Online Business with Strong Encryption appeared first on .

]]>
If you have a business that relies on ecommerce transactions, you want to ensure that customers feel confident about the safety of their online purchase with your organization. Not only is it a matter of providing good customer service, but it is essential to enable safe online sales by providing a recognizably secure websites for online transactions.
EV SSL
The popularity of ecommerce is undeniable. But the proliferation of phishing sites is staggering. The Internet Policy Committee APWG published a report titled “Global Phishing Survey: Trends and Domain Name Use in 2014” stating that:

  • Apple became the world’s most phished brand in 2014.
  • Chinese phishers were responsible for 85% of the domain names that were registered for phishing
  • Malicious domain and subdomain registrations continue to grow exponentially, exceeding historical levels; driven primarily by increased volume activity by Chinese phishers.
  • Mass hacking of multiple shared hosting sites accounted for 20% of all new phishing attacks in 2014.

The report also discussed that phishing targets were dispersed over a variety of sectors and consumer products and services, indicating that criminals were search through multiple sources for vulnerabilities. Any time a large organization is successfully hacked and the data is compromised (particularly personal information or financial data) the public becomes more distrustful of online purchases and sharing confidential credentials online. This is why the EV SSL (Extended Validation) Certificate is so important – It provides secure shopping and peace of mind.

How to Qualify for a Premium EV SSL Certificate

To become certified to use an EV SSL Certificate, you must be an incorporated company and one that is legally registered. In addition to being a registered company you organization must be recognized as being in “Good Standing” (or a similar status that indicates the business records are up to date and valid).

Companies that are registered as partnerships, associations or businesses who are “Doing Business As” (DBA) status, or sole proprietorship entities may also qualify for a premium EV SSL Certificate. However there are some additional steps required that will be detailed once you apply.

The Value of EV SSL Certificates

When consumers visit a website secured with an EV SSL certificate, the browser address bar turns green and a special field appears with the name of the business the certificate belongs to. EV SSL provides an extra layer of protection for consumers and website operators by requiring third-party Certificate Authorities (CA) to follow a strict issuance and management process, as defined by the CA/Browser Forum, for certificate approval and delivery.

EV SSL has become a “must have” for businesses that want to maximize their online growth potential. Symantec™ SSL Certificates with EV and the EV “green bar” help e-commerce websites:

  • Reduce abounded shopping carts
  • Improve conversion rates
  • Comply with regularly standards
  • According to a survey conducted by Netcraft.com in June of 2015, there were 863,105,652 websites in existence on the web. If 20% of the sites are confirmed phishing sites or more, consider the value of an EV SSL Certificate, and what it means to both your business and protection from liability as well as the purchase confidence of your online customers.

    The post Extended Validation SSL Certificates Secure Your Online Business with Strong Encryption appeared first on .

    ]]> https://www.thesslstore.com/blog/extended-validation-ssl-certificates-secure-your-online-business-with-strong-encryption/feed/ 0 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/ https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/#comments Mon, 20 Jul 2015 12:57:27 +0000 https://www.thesslstore.com/blog/?p=1841 As the internet evolved so did the ways in which we interact with it. Virtually every aspect of our daily lives have been mirrored on the Internet. When you login to your online banking portal you are entrusting that your … Continue reading

    The post 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam appeared first on .

    ]]>
    As the internet evolved so did the ways in which we interact with it. Virtually every aspect of our daily lives have been mirrored on the Internet. When you login to your online banking portal you are entrusting that your bank is safely and discretely managing your personal financial information – just as you would when you sit down with a bank employee in their office. With day-to-day life becoming increasingly dependent on using the Internet, a passive ability to detect fraudulent or fake websites becomes increasingly important.

    Security is our number one priority at The SSL Store so our panel of Internet Security Specialists have assembled a list of good practices that you can implement starting today to improve your passive ability to detect fraud.

    Tip #1: Pay Close Attention to the URL Requesting Your Credentials

    Always check the URL in the address bar! Perhaps the most common phishing attack is performed by a phisher using a URL that closely resembles another URL. The primary element to access any website through the Internet is the URL, and it should be done in the proper manner in order to access the right website. If you have any doubts in a given URL when it has moved to another domain name such as in below case, you should contact the firm about their information.

    FakeWebsite-Testing

    Tip #2: Identify the layers of security such as trust seal, padlock, and green address bar, https:// protocol.

    The most common tactic to steal online information or data is cloning the original website and asking for confidential information smartly from users. You must pay close attention to website content (ie. misspellings and grammatical errors) and check the various security layers such as website trust seal, https, site lock, etc. Shown below are two sites, one of which is using various layers of security (pictured left) and the other site is not using any layers of security (pictured right).

    Remember that your top priority it identifying who operates the website. Checking for these security layers are good indicators of a legitimate website, but on their own they do not prove it.

    FakeWebsite-Testing2

    Tip #3: Identify whether the site is using an expired SSL Certificate.
    When SSL certificates expire, you may get awarning notifying you of the expiration, or you may notice the https text and padlock icon are crossed out in red. An expired SSL certificate can still encrypt your communication, but you can’t put much trust that the source is what it claims to be.

    Expired SSL certificates are particularly susceptible to man-in-the-middle attacks. Due to this vulnerability, contacting the firm directly to complete the transaction is suggested, as the validity of certificate has been compromised.

    FakeWebsite-Testing3

    Tip #4: Identify whether the site is using an EV SSL Certificate.

    Sites that use Extended Validation (EV) SSL show a green address bar featuring the legally registered company name and country. This obvious visual cue takes the guesswork out of identifying legitimate websites. Shown in the image below are two sites; one that is using an Extended Validation certificate (pictured right) and one without (pictured left),
    FakeWebsite-Testing4
    Extended Validated Websites are firms on that have been validated by a 3rd party authentication process, and are authorized for having secure business transactions over the Internet. Because of the strict checks required by EV (Extended Validation) SSL, it is very hard for a fraudulent user to obtain one.

    Tip #5: Learn to Spot the Telltale Signs of a Secure Site.
    At minimum, it should have a URL that starts with https://, and it should have a padlock icon in the browser address bar – NOT on the site’s page. These show the site is protected with Secure Sockets Layer (SSL), a cryptographic protocol that provides communication security.
    FakeWebsite-Testing5

    You should follow all of the tips above when trying to detect fraud:

    • Check the expiration date of a sites SSL certificate.
    • Be sure https:// security protocol is enabled.
    • Look for the padlock in the browser frame.
    • Keep an eye out for the websites trust seal before providing any personal information.

    The post 5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam appeared first on .

    ]]>
    https://www.thesslstore.com/blog/5-ways-to-determine-if-a-website-is-fake-fraudulent-or-a-scam/feed/ 0
    2015 Technology Trends, their Security Risks & Safety Tips https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/ https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/#comments Mon, 13 Jul 2015 06:32:54 +0000 https://www.thesslstore.com/blog/?p=1829 According to reports conducted by various research and technology firms, 2015 will be continuing many of 2014’s innovations and disruptive technologies. The entire technology landscape is forcasted to triple with more mobile apps and devices entering into the market. Data … Continue reading

    The post 2015 Technology Trends, their Security Risks & Safety Tips appeared first on .

    ]]>
    PCI SSL Protocol
    According to reports conducted by various research and technology firms, 2015 will be continuing many of 2014’s innovations and disruptive technologies. The entire technology landscape is forcasted to triple with more mobile apps and devices entering into the market. Data center traffic is expected to reach more than 600 exabytes per month. Just in case you didn’t know, 1 exabyte is equivalent to10,000 terabytes.

    Then there are self-driving cars, bendable displays, air-charged batteries, holographic teleconferencing, wearable mobile devices, and 3D printing breakthroughs. These are just a few technology trends that people are looking out for this 2015, with many more innovations expected to enter the market throughout the year.

    Together with these exciting events also come worrisome security threats that have not been dealt with properly in the past or are being driven by the latest innovation. For instance, trust flaws in IPv4 that are still existing in IPv6 may be capitalized on by cyber criminals.

    A shift from BIOS to rich boot environments such as UEFI can result in new type of attacks from rootkits and bots as well. As technology becomes more popular and pervasive, so does its potential to create problems when mishandled and mismanaged.

    Mobile Apps, Payment and Devices

    Gartner is predicting that the sales of both tablets and smartphones could reach up to 385 million units in 2015. With that in mind, there will be a need to serve all those users in diverse contexts and diverse environments. With the rapidly expanding market of mobile devices, there’s also an ever expanding question of the security of those devices. At the moment the majority of malware that’s built for the devices is targeted primarily at Android, but that could change over time.

    Luckily, there’s a few obsticales that are circumventing the widespread proliferation of malware into the market. One of those obsitcales is validated application delivery which is making the installation of malware quite difficult. Other obsticales include, address space layout randomization (ASLR), sandboxing and automatic updates; making mobile platforms difficult to target. Nevertheless, the popularity of this platform may push cyber criminals to innovate as well, commercializing the industry of non-PC hacking.

    Over the past few years, there’s been an increase on attacks targeting mobile payment systems. This led to the development of security features that are built to prevent theft. Some of those very same security features are the same ones that are actually posing as possible threats in the future.

    There is an increase in attack on mobile payment systems, but at the moment cyber criminals are continuing to focus their abuse on traditional credit and debit cards since they are easier targets for now.

    Internet of Things (IoT)

    The scenario where objects such as appliances and devices are able to transfer data over a network without human intervention is part of a concept coined the “Internet of Things”. With this advancement it will be possible to make our everyday objects more connected – which comes with upsides and downsides. Digitizing everything into data streams is creating new requirements as well as services.

    Unfortunately, evidence shows that many IoT device manufacturers have neglected to implement basic security standards. Attacks on these devices can have a real nasty impact. Worse, the vendors may not have the distribution infrastructure for timely updates to correct lapses. Like the mobile platform, attackers may begin onto venture on IoT platforms as these devices multiply.

    Cloud Architecture

    Both cloud and mobile computing is promoting the growth of centralized applications that can retrieve and sync data across multiple devices. This synchronization is delivering the same experience across all devices, and allows users to pickup where they left off.

    While many of these cloud services state that they’re using encryption to retrieve and sync the data. There’s been some evidence that has proved that of these services aren’t actually implementing encryption correctly. One example of such is by not enabling Certificate Pinning in SSL, because of this, the experience isn’t necessarily secure or private to the outside world.

    Web-scale IT

    Web-Scale IT is a philosophy that organziations will begin adopting as they begin to think, act, and build both applications and infrastructure for the future. According to Gartner, this will happen slowly, as commercial hardware becomes ready to drive their cloud based needs and software.

    However it’s become clear that as more organizations deploy their hardware and software to the cloud, that the security used to protect such devices and applications aren’t up to snuff. Many organizations are having a hard time finding candidates that have experience with cyber security or even the skill set.It’s now widely accepted that the edge defense approach towards security is no longer an option. Organizations are finding it quite difficult to provide a secure environment across everything not only within, but also externally as well.

    Not to worry however, we’ve gather together a helpful few tips that can help you stay secured and safe while online.

    Top 5 Tips of 2015 for Online Security

    1 Update, Update, Update!

    This is something we cannot stress enough to secure our online data. Numerous websites are compromised every day due to using outdated software and technology to run them. It is very important for every online business to update their website as soon as new plugin or CMS version is available. Unless you are running a website firewall like Cloud Proxy, you’ll need to update as soon as updates are released.

    2.Make Your Password Strong Enough

    SplashData’s annual list compiles the millions of stolen passwords made public throughout the year and assembles them in order of popularity. Here is the 25 most common passwords of 2014 which is already stolen and hackers get the all the information easily by using those common passwords. It is clearly indicated to us that when it comes to choosing a password there are 3 key requirements that should always be followed: complex, long , and unique.

    Another good function to look into is “2FA” – or Two Factor Authentication. This is a mechanism for logging into an account that leverages a password as well as another method, such as an email confirmation or a secret code sent via text message.

    3.Never Host More Than One Site on a Single Server

    Majority people in the online world fall victim to choosing the “Unlimited Hosting” plan for their online business and end up hosting all their various sites on a single server. Unfortunately this is one of the worst security practices we commonly see. Hosting many sites in the same location creates a very large attack surface.

    For example, a server containing one site might have a single WordPress install with a theme and 10 plugins that can be potentially targeted by an attacker. If you host 5 sites on a single server now an attacker might have three WordPress installs, two Joomla installs, five themes and 50 plugins that can be potential targets.

    To make matters worse, once an attacker has found an exploit on one site, the infection can spread very easily. Not only can this result in all your sites being hacked at the same time, it also makes the cleanup process much more time consuming and difficult. After the cleanup is successful, you now have a much larger task at hand when it comes time to recover from the attack. So it’s better if you can use one hosting server for each website.

    4.Server Configuration Files

    You should really get to know your web server configuration files. Apache web servers use the .htaccess file, Nginx servers use nginx.conf, and Microsoft IIS servers use web.config. Most often found in the root web directory, these files are very powerful and quite confusing. It’s these files that allow you to execute server rules, including directives that improve your website security.

    Here are a few rules that I recommend you research and add for your particular web server:

    • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution.
    • Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
    • Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text.

    5.Install SSL Certificate

    An SSL Certificate isn’t required, but it’s highly recommended as more users are connecting and transmitting data. The reason for getting an SSL Certificate installed on your website is that it’ll be encrypting any transmitted information to and from your server. Even basic data can be used to identify you or your site’s users and its important to provide them with security. Just think of all the personal information that could be at risk of being stolen and used.

    An SSL Certificate is especially important for E-Commerce sites and other related sites that accepts form submissions with sensitive user data or Personally Identifiable Information (PII).

    The post 2015 Technology Trends, their Security Risks & Safety Tips appeared first on .

    ]]>
    https://www.thesslstore.com/blog/2015-technology-trends-their-security-risks-safety-tips/feed/ 0
    New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/ https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/#comments Fri, 12 Jun 2015 04:41:29 +0000 https://www.thesslstore.com/blog/?p=1811 New guidelines dictating the requirements for PCI Compliance, version 3.1 of PCI Data Security Standards (PCI DSS), were released in April. These guidelines must be followed for all companies who take payments over the Internet. A key part of the … Continue reading

    The post New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 appeared first on .

    ]]>
    PCI Standards Require Abandoning SSL 3.0 and TLS 1.0

    New guidelines dictating the requirements for PCI Compliance, version 3.1 of PCI Data Security Standards (PCI DSS), were released in April. These guidelines must be followed for all companies who take payments over the Internet. A key part of the new PCI DSS are stricter requirements around the use of TLS (SSL).

    PCI DSS v3.1 states that SSL 3.0 and TLS 1.0 “can no longer be used as a security control after June 30th, 2016.” This means that disabling these protocol versions is required in order to be compliant with handling sensitive cardholder data.

    Any time we discuss protocols, we like to remind our readers that the true name of the modern protocol is Transport Layer Security (TLS), not SSL. The most recent version of the protocol is TLS 1.2, and the last version to be released under the name “SSL”, was SSL 3.0 way back in 1996.

    After the POODLE attack discovered late last year, SSL 3.0 was effectively retired. The newest versions of most modern browsers no longer support SSL 3.0, and everyone should check their servers to make sure they have disabled support for that insecure protocol.

    Disabling protocol versions is easy – once you locate where your server stores the configuration settings for SSL, it takes less than a few minutes to update. The hard part of meeting these requirements will be to make a risk assessment of your user base to determine if removing TLS 1.0 support will be problematic.

    Remember that PCI DSS dictates technical requirements and procedures for servers that are directly handling user payment information, personal records, and administrative access. So if you do not take payments directly – but instead use a provider such as Paypal, Authorize.net, or Square, you may not have to be PCI Compliant. For companies who do handle payments directly, it’s not necessarily required to make these changes network wide. For many networks and companies this will ease compliance.

    So, if you are affected by these changes, how much time do you have?

    The deadline for ending support for SSL 3.0 and TLS 1.0 is June 30th, 2016, just about a year from now. However this comes with some caveats. “Effective immediately, new implementations must not use SSL or [TLS 1.1],” and existing implementations must have a “formal Risk Mitigation and Migration Plan in place.”

    So while the hard deadline on abandoning these old SSL protocols is about 12 months away, the easiest option will be to migrate from these protocol versions now.

    The PCI Security Standards Council suggests you only support TLS 1.2 for optimal configuration. This is because all protocol versions except for TLS 1.2 are vulnerable, though you may find users’ devices do not support this version so for practical versions this may not be possible. If you do keep TLS 1.1 enabled, make sure you optimize your configuration to avoid potential security flaws.

    If you or your clients handle user data which requires PCI compliance, you will want to consult directly with their new PCI DSS v3.1 Standards, available here:
    https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

    A summary of the changes specifically affecting SSL are available here:
    https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information%20Supplement_v1.pdf

    The post New PCI Standards Require Abandoning SSL 3.0 and TLS 1.0 appeared first on .

    ]]>
    https://www.thesslstore.com/blog/new-pci-standards-require-abandoning-ssl-3-0-and-tls-1-0/feed/ 0
    Symantec Increases Pricing for SSL Certificates in Japan https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/ https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/#comments Tue, 14 Apr 2015 05:17:01 +0000 https://www.thesslstore.com/blog/?p=1819 On April 14th, 2015, Symantec officially announced increased prices for their brands of SSL Certificates. As The SSL Store™ is a top web security partner of Symantec, we informed our Japan-based customers and partners that we also have to comply … Continue reading

    The post Symantec Increases Pricing for SSL Certificates in Japan appeared first on .

    ]]>
    On April 14th, 2015, Symantec officially announced increased prices for their brands of SSL Certificates. As The SSL Store™ is a top web security partner of Symantec, we informed our Japan-based customers and partners that we also have to comply with this new regulation and adjust our pricing for SSL certificates with .JP domain names.

    Symantec Japan

    When you purchase an SSL Certificate, our system will now require an extra surcharge when you go to create a CSR and your domain name contains a .JP or administrative, billing or organizational address located in Japan. This is mandatory for all Symantec partners around the world.

    There’s No Surcharge If Your Website Is Hosted In Japan

    International domain names that are hosted in Japan are not affected and won’t incur any additional surcharge. You may continue to place an SSL Certificate order for your international domain name hosted in Japan, without any surcharge being applied to your order.

    Customer FAQs for New Symantec Japan Pricing:

    1. Why is Symantec Increasing their Japan Pricing for SSL Products?
    2. Symantec advised their partners that the pricing would be aligned and adjusted to encourage and reward in-market focus, investment, and support for all Symantec SSL Certificates sold to Japan.

    3. Which SSL Brands are affected by this new Japan pricing announcement?
    4. All RapidSSL, GeoTrust, Thawte and Symantec products have new Japan pricing.

    5. What happens if I order an SSL Certificate for Japan but do not select the Japan Region?
    6. When you begin to configure your SSL Certificate, we check the above criteria. If you have not selected the Japan Region when ordering, our system will prevent you from completing the configuration of your certificate. You will then need to contact us to arrange either a refund or to adjust your order to the new pricing.

    7. Is The SSL Store™ will offer Price Match Guarantee to Japan Customers?
    8. As one of the largest SSL Certificate providers globally, The SSL Store™ sets the standard in offering a high quality SSL Certificate service and has adjusted its retail pricing structure to reflect fair and reasonable pricing. If you have found another supplier offering Japan pricing cheaper, we’ll match it.

    9. Does this New Pricing Also Affect Additional SAN (Subject Alternative Domain Names) and Code Signing Certificates?

    Yes, you will need to pay an extra surcharge for additional SAN purchases if your domain name contains a .JP extension. And yes, Symantec Code Signing and Thawte Code Signing certificates are also affected by the new Japan pricing.

    The post Symantec Increases Pricing for SSL Certificates in Japan appeared first on .

    ]]>
    https://www.thesslstore.com/blog/symantec-increases-pricing-for-ssl-certificates-in-japan/feed/ 0
    Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/ https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/#comments Fri, 20 Mar 2015 09:40:42 +0000 https://www.thesslstore.com/blog/?p=1759 The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and … Continue reading

    The post Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. appeared first on .

    ]]>
    The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.

    Symantec-Free-San

    Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.

    As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.

    Here are the 3 use case for Symantec SSL certificates:

    • When you enroll with Common Name as www.name-of-site.com , Symantec SSL now automatically secures and adds the non-www version of the same domain (name-of-site.com) as a SAN for free.
    • When you enroll the Common Name as name-of-site.com, Symantec will automatically add www.name-of-site.com as a free SAN.
    • For a wildcard certificate: When the enrolled Common Name is *.name-of-site.com, Symantec will automatically add name-of-site.com as a free SAN.

    Details/Examples:
    1) When the Common Name is www.name-of-site.com

    Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.

    –  It’s free and it does not count as part of the max # of allowed SAN
    –  Of course, it will only be added if TLD is valid.

    TLD Domain Types Example of Domain Names Add base domain as a SAN value?
    1-­‐level TLD (such as a gTLD) www.domain.com Yes –add domain.com
    1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
    2-­‐level TLD(such as a ccTLD) www.domain.co.uk Yes – add domain.co.uk
    2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
    Internal host/IP server.local No

    2) When Common Name is domain.com

    Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.

    –  It’s free and it does not count as part of the max # of allowed SAN
    –  Of course, it will only be added if TLD is valid.

    TLD Domain Types Example of Domain Names Add base domain as a SAN value?
    1-­‐level TLD (such as a gTLD) domain.com Yes –add www.domain.com
    1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
    2-­‐level TLD(such as a ccTLD) domain.co.uk Yes – add www.domain.co.uk
    2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
    Internal host/IP server.local No

    3) When Common Name is *.domain.com (Wildcard SSL)

    Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.

    –  It’s free and it does not count as part of the max # of allowed SAN
    –  Of course, it will only be added if TLD is valid.

    TLD Domain Types Example of Domain Names Add base domain as a SAN value?
    1-­‐level TLD (such as a gTLD) *.domain.com Yes –add domain.com
    1-­‐level TLD (such as a gTLD) *.subdomain.domain.com No
    2-­‐level TLD(such as a ccTLD) *.domain.co.uk Yes – add domain.co.uk
    2-­‐level TLD(such as a ccTLD) *.subdomain.domain.co.uk No
    Internal host/IP *.server.local No

    The following SSL products of Symantec are enhanced from this change:

    Symantec Thawte GeoTrust
    Secure Site Pro with EV SSL Web Server with EV True BusinessID with EV
    Secure Site with EV SGC Supercerts True BusinessID
    Secure Site Pro SSL Web Server ———-
    Secure Site Wildcard SSL Web Server Wildcard True BusinessID Wildcard
    Secure Site SSL SSL123 (DV But Allow) ———-

    *GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.

    The post Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names. appeared first on .

    ]]>
    https://www.thesslstore.com/blog/symantec-ssl-certificates-now-offer-a-free-san-for-base-domain-names/feed/ 0
    Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/ https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/#comments Tue, 20 Jan 2015 04:00:29 +0000 https://www.thesslstore.com/blog/?p=1753 If you have ever flown on a US airline, chances are you have seen an advertisement for an in-flight Wi-Fi service provided by Gogo. While Gogo is certainly appealing to most travelers in this day and age, a revelation has … Continue reading

    The post Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic appeared first on .

    ]]>
    If you have ever flown on a US airline, chances are you have seen an advertisement for an in-flight Wi-Fi service provided by Gogo. While Gogo is certainly appealing to most travelers in this day and age, a revelation has come to light recently about this service that you should probably be aware of.

    gogo_inflight_internet

    This past week, Adrienne Porter Felt, a security engineer at Google, discovered that Gogo was using a fraudulent certificate in place of Youtube.com’s real SSL certificate. The certificate was a self-signed certificate issued by Gogo, being used in combination with a proxy server. This was easy to spot because of SSL security measures in place that prevents connections from being established with a certificate issued by an untrusted provider.

    The purpose of this behavior is to insert their own proxy server between the user and Youtube.com, known as a “man in the middle attack” (MITM). By performing a MITM attack, Gogo was able to view user’s data unencrypted, for the purpose of throttling or blocking connections to the bandwidth-intensive video streaming site.

    Making sure users are not violating policy is fairly standard for Internet service providers. Because SSL encrypts internet traffic, it makes it harder for providers to monitor and restrict access on their networks. However by MITMing traffic to Youtube, Gogo has stepped far over the boundaries of acceptable behavior, especially given available alternatives which protect user privacy.

    This is especially troubling given Gogo’s history. Neowin.com reports that “earlier this year, it was revealed through the FCC that Gogo partnered with government officials to produce ‘capabilities to accommodate law enforcement interests’ that go beyond those outlined under federal law.”3

    We hope it goes without saying, but just to be clear, The SSL Store™ does not support this action, or any other action(s) which undermine SSL security and user perception of security.

    For more on this story, please see this excellent write up by Rick Andrews of Symantec at CASecutiy.org.

     

     


    3 http://www.neowin.net/news/gogo-inflight-internet-is-intentionally-issuing-fake-ssl-certificates

    The post Airline Wi-Fi Provider Gogo Has Been Intercepting User Traffic appeared first on .

    ]]>
    https://www.thesslstore.com/blog/airline-wi-fi-provider-gogo-intercepting-user-traffic/feed/ 0
    4 & 5 Year SSL Certificates Being Discontinued in 2015 https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/ https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/#comments Wed, 17 Dec 2014 05:36:45 +0000 https://www.thesslstore.com/blog/?p=1720 On March 1st, 2015, The SSL Store™ will discontinue offering SSL certificates with validity periods of 4 and 5 years. This is in accordance with new guidelines set forth by the Certificate Authority/Browser (CA/B) Forum, the governing body of the … Continue reading

    The post 4 & 5 Year SSL Certificates Being Discontinued in 2015 appeared first on .

    ]]>
    On March 1st, 2015, The SSL Store™ will discontinue offering SSL certificates with validity periods of 4 and 5 years.

    This is in accordance with new guidelines set forth by the Certificate Authority/Browser (CA/B) Forum, the governing body of the SSL industry. This update will affect all SSL certificates in the industry, including the entire product catalogs of Symantec, Comodo, Thawte, GeoTrust, and RapidSSL. (EV certificates are already limited to a maximum of two years so they are not affected by this change).

    Please note that any active 4 or 5 year certificate that are reissued after the March 1st, 2015 deadline will automatically be truncated to the new maximum duration permissible, which is 39 months. Any active 4 or 5 year certificate that is reissued before this deadline will be unaffected. Therefore, The SSL Store™ strongly recommends that any new SSL purchase be for no more than a maximum of 3 years, in order to avoid any lost time and money due to a reissue.

    To help further prepare for this change, we have amended all of our product pages to include a new yellow drop down box that appears anytime a 4 or 5 year certificate is selected for purchase. The new drop down box briefly explains this new update and emphasizes that all 4 or 5 year certificates reissued after the March 1st deadline will be truncated to the new maximum industry standard of 39 months.

    4To5 Yr option closed for SSLCertificates

    Ultimately, this is good news for the SSL industry, as certificates with shorter lifespans make security updates much easier and more streamlined. So, recent updates like the SHA-2 upgrade, internal domain issuance, and more industry-wide enhancements that have become quite commonplace with SSL will be much less of a hassle.

    Also, certificates with shorter lifespans will offer more in the way of security, as companies will have to reaffirm their identities in a more timely fashion. It goes without saying that trust and security are of paramount importance to the SSL market, so any effort to enhance either of these components is good for the overall health of the market.

    We would advise all of our partners to begin informing their customers of this impending industry change. If you have any questions about deprecation of 4 and 5 year SSL certificates, please feel free to contact our Customer Experience department via support@theSSLstore.com, Live Chat on our website, or directly at +1 727-388-4240.

    The post 4 & 5 Year SSL Certificates Being Discontinued in 2015 appeared first on .

    ]]>
    https://www.thesslstore.com/blog/4-5-year-ssl-certificates-being-discontinued-in-2015/feed/ 0
    10 Important Factors That Make Symantec™ SSL Certificates #1 https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/ https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/#comments Tue, 16 Dec 2014 04:00:23 +0000 https://www.thesslstore.com/blog/?p=1691 Symantec™ Corporation is a US-based internet security & technology company, founded by Gary Hendrix in 1982. It’s a global and publically traded company (NASDAQ: SYMC) dealing with many different sectors of the security industry, such as; anti-virus applications, data storage … Continue reading

    The post 10 Important Factors That Make Symantec™ SSL Certificates #1 appeared first on .

    ]]>
    Symantec™ Corporation is a US-based internet security & technology company, founded by Gary Hendrix in 1982. It’s a global and publically traded company (NASDAQ: SYMC) dealing with many different sectors of the security industry, such as; anti-virus applications, data storage & backup solutions, SSL certificates and other website security solutions.

    As per W3Techs’s (Web Technology Surveys) report, Symantec™ Corporation is the top Certificate Authority (CA) with the largest market share of almost 37.3%.

    Web-Technology-Surveys-Symantec-SSL1

    Top 10 Reasons that Easily Make Symantec™ the #1 Choice:

    Here are the few important factors to consider about Symantec™ before choosing an SSL certificate provider.

    1. SSL Industry Leader: *****
      Symantec

      • Back in 2010, Symantec™ acquired the identity and authentication business from VeriSign™ which was the leader in SSL & Code Signing Certificate services at the time.
      • With a market share of more than 37.3%, Symantec™ was able to leverage the power of Symantec™ and Norton brands to become the SSL security giant they are today with highest number of satisfied certificate customers spread all over the world.

    2. #1 Encryption and Cryptography Technology: *****

      Symantec™ offers industry-standard SSL certificates all with a 2048-bit length and a strong encryption key length of up to 256-bit, as well as the latest and greatest encryption technology called ECC or Elliptic Curve Cryptography, which is stronger, lighter and faster. There also premium features included with all of the Symantec™ branded certificates, such as a daily vulnerability assessment and malware scanner that ensures high-level website security on multiple fronts. It not only offers trusted & safe communication, it highly improves a users’ trust and confidence to further enable sharing sensitive information or engagement on a website.

      All Symantec™ SSL certificates are powered with the SHA-2 hash algorithm. It consists of a set of 6 hash function and carries hash values of 224, 256, 384 or 512-bits, which makes it very difficult for any hacker to even come close to breaking.

    3. Offers a Multi-Purpose Solution: *****

      Whether it is a question to secure small/medium/large scale website, a software/file/application, an e-commerce website or a website with multiple domains and sub-domains, Symantec™ has a perfect security solutions for all of the scenarios.

      Symantec™ offers:

      • Strong SSL encryption to protect any small/medium/large website, including the one-and-only ECC signed certs.
      • Code Signing certificates to protect code on any software, files and applications.
      • EV SSL certificates to secure & display security for e-commerce websites and online business transactions
      • Wildcard certificates to cost-effectively protect websites with multiple sub-domains and SAN SSL certificates to secure the multiple domain websites.
      • Vulnerability scanning & malware detection to take website security even further.

    4. Unprecedented Brand Power & Recognition: ****

      Symantec™ happens to own one of the most globally recognized internet security brands known to the world, Norton™. They were able to leverage this brand power and awareness established from the leading anti-virus software, Norton™ Anti-Virus, right into the SSL industry to help people actually know that they are on a safe & secure site protected by an established & trusted brand.

    5. A Fast Verification Process: ****

      Symantec™ offers one of the fastest and stream-lined verification processes.

      Once you’re done placing the order and sending the necessary documents to Symantec™, their highly experienced team will quickly be able to navigate through all of your documentation, to quickly issue your SSL certificate and have it ready for you to install it on your server.

    6. 24/7 Live Support form Experts: *****

      Compared to other Certificate Authorities (CAs), Symantec™ is leaps and bounds ahead of them when it comes to providing quick and responsive customer care & support if the need arises.

      Symantec™ provides:

      • Phone Support
      • Live Chat Support
      • E-mail Support
      • Quick SSL Installation Guides.
      • Social Media Support






      Symantec™ has a team of expert support representatives, who promptly assist their customers 24/7 via phone call, e-mail and live chat.

      Symantec™ also provides access to quick SSL installation guides to help users troubleshoot any SSL errors instantly.

      Customers can also directly reach out to Symantec™ by using various Social Media platforms. Their social media support team is active at all hours of the day.

    7. Eliminates Browser Security Alerts and Pop-up Messages: *****

      Symantec™ SSL certificates are designed to not only effectively secure websites, but to also to eliminate browser errors. This way, when a user logs on to a website protected by Symantec™ SSL certificates, the browser runs the website without displaying any browser errors or warnings.

      If a software/application/file is protected with a Symantec™ Code Signing certificate, end-users won’t see pop-up error messages on any web-based or mobile based platforms during the installation process.

    8. Compatible with Modern Browsers: *****

      Symantec™ is committed to giving complete digital security for website/server/software. Whether it’s an older version browser or modern web browser, Symantec™ SSL certificates are highly compatible with all browsers including mobile browsers. Symantec has the best browser and mobile public root ubiquity of all CAs, which will enable an organization to better implement Always On SSL.

    9. Industry-Best Extended Warranty: *****

      Symantec™ is so confident about their encryption strength and infrastructure of its entire business and SSL product-line, it offers an unmatched and extremely high warranty amount to further enhance user-confidence and trust. If your website is protected with Symantec™ SSL certificate and somehow fails as a result of their mishandling or wrongdoings, Symantec™ and as per their company policy, will cover transactions affected up to the specified warranty amount. Their warranties are as high as $1,750,000, which is by far the largest in the industry.

    10. Advanced SSL Tools: *****

      Symantec™ offers advanced SSL tools for all of their customers, which helps install SSL certificates and check a detailed status of their SSL certificates.

      Symantec™ SSL Tools

      1. CSR Checker

        When you start installing your SSL certificate on the server, you first need to generate a CSR (Certificate Signing Request) for your server. After generating a CSR, you must check whether it will work for you. This ‘CSR Checker’ helps you to check the CSR that you have generated.

      2. SSL Checker – To check the installation of SSL certificate.

        After installing an SSL certificate on your server, you must check if it was installed properly. This SSL Checker tool helps the users check the installation and status of your SSL certificate.

    Conclusion:

    In the wake of daily cyber-crimes, website security is a major concern for all web users. And after reading all the above factors, we can surely say that Symantec™ is the ultimate solution for securing websites, online business transactions, customers’ sensitive information and also for securing code for software/applications/files.

    The post 10 Important Factors That Make Symantec™ SSL Certificates #1 appeared first on .

    ]]> https://www.thesslstore.com/blog/10-secrets-that-make-symantec-ssl-certificates-number1/feed/ 0