Cisco ASA Vulnerability – Patch Now!

On February 10th, Cisco Systems patched a serious vulnerability (a buffer overflow exploit) in their Cisco ASA Software, used in firewalls, routers and other security appliances. This threat could allow a remote, unauthenticated attacker to gain complete control of a targeted system. With over a million devices in use on the Internet, it’s only a matter … Continued

Encrypt As We Say, Not As We Do: The NSA and SHA-1 Certs

As Bruce Schneier and others have reported, your friends at the National Security Agency’s Information Assurance Directorate (IAD) recently issued a FAQ regarding their new Commercial National Security Algorithm Suite, intended to futureproof national security systems against the looming threat of quantum computing. Among their recommendations is the use of SHA-384 to sign certificates (a step … Continued

Update Your Privacy Settings

Your online security is important to us here at SSL.com. Inspired by Data Privacy Day, we’d like to remind you that one of the most important things you can do to protect yourself online is to update your privacy settings. It can be confusing to find out where to update these, so we have made … Continued

Data Privacy Day

Hey everyone, it’s Data Privacy Day Data Privacy Day (DPD) is an annual international campaign held every January 28th to create awareness about privacy and protecting personal information online. DPD, as we know it now, started in the United States and Canada in January 2008 later being signed into law in 2014 (S.Res.337). Canada and … Continued

2017 will be a exciting year for the digital certificate community. One thing we expect to see: more widespread adoption of Certification Authority Authorization (aka CAA).

CAA lets the owner of a domain name designate a specific Certificate Authority (CA), (like SSL.com) to issue digital security certificates for their domain name. This protects websites by helping to prevent mis-issuance of unauthorized certificates.

CAA works by adding small files called Certification Authority Authorization Resource Records (CAA records) as part of the Domain Name System (DNS). These records instruct CAA-compliant certificate authorities how to process requests. CAA is easy to implement and control. Since the owner of any domain already maintains DNS records (to, for instance, point their domain name to the IP address where their site is hosted) they simply add or edit CAA records alongside their other DNS records.

Widespread use of CAA can reduce risk of certificate mis-issuance and protect your domain, website,business and online identity.

The downside: not all certificate authorities currently support CAA (it is currently recommended  but not required) and until all CAs adopt CAA it can’t stop every certificate mis-issuance.

That said, we expect CAA to see broader use in 2017, and SSL.com would like you to consider using CAA records for yourself. We’ve written an article to help give a more in-depth understanding of CAA, including how to set up your own CAA records. (If you want even more detail consult the original Internet Engineering Task Force Certification Authority Authorization standards document, RFC 6844 – be warned, it’s not for the faint of heart.)

And as always, please contact us to find out how SSL.com can help you with Certification Authority Authorization today!

640px-Standard-lock-keyOn February 10th, Cisco Systems patched a serious vulnerability (a buffer overflow exploit) in their Cisco ASA Software, used in firewalls, routers and other security appliances. This threat could allow a remote, unauthenticated attacker to gain complete control of a targeted system.

With over a million devices in use on the Internet, it’s only a matter of time before nefarious organizations move to take advantage of this opportunity. Although Cisco reports no cases of “malicious use” of this vulnerability in the wild, the Internet Storm Center has noted a large increase in UDP traffic on the port considered most likely to be attacked, and we urge any and all customers of SSL.com that use Cisco ASA devices to update their firmware immediately.

Instructions on how to download the software update to correct this issue can be obtained directly from Cisco here.

A detailed technical report has also been released by security researchers from Exodus Intelligence (the discoverers of the exploit).

Image: Evan Amos

 

 

 

 

 

 

 

 

 

As Bruce Schneier and others have reported, your friends at the National Security Agency’s Information Assurance Directorate (IAD) recently issued a FAQ regarding their new Commercial National Security Algorithm Suite, intended to futureproof national security systems against the looming threat of quantum computing. Among their recommendations is the use of SHA-384 to sign certificates (a step up from SHA-2, the current industry standard ).

One small issue with the IAD’s link to their FAQ – it throws this message when clicked:

IAD_SOL
A quick check at SSLShopper shows that the certificate for iad.gov uses an obsolete (and dangerous) SHA-1 signature, and apparently has a broken chain of trust to boot – problems serious enough to get red-flagged by all modern browsers.

Further proof, we guess, that security is tough to get perfect – even when you’re a branch of the NSA.

The (insecure-as-of-this-writing) link to the IAD FAQ is here – use at your own risk.

Your online security is important to us here at SSL.com.
Inspired by Data Privacy Day, we’d like to remind you that one of the most important things you can do to protect yourself online is to update your privacy settings. It can be confusing to find out where to update these, so we have made a single go-to page to save you time (and aggravation).

Follow the links below for instructions on viewing and changing your privacy settings in the most widely-used sites and services and programs:

Shopping

Email & Voice Communication

Mobile/Location Services

Music

Photo & Video Sharing

Search Engines

Social Networks

Web Browers 

PersonalInformationIsLikeMoney

Hey everyone, it’s Data Privacy Day

Data Privacy Day (DPD) is an annual international campaign held every January 28th to create awareness about privacy and protecting personal information online.

DPD, as we know it now, started in the United States and Canada in January 2008 later being signed into law in 2014 (S.Res.337). Canada and the U.S. adopted the campaign from Europe’s Data Protection Day celebration that began after the signing of Convention 108 in 1981. (Of course, as I was gently reminded by my coworkers, every day is Data Privacy Day here at SSL.com.)

Here are a few tips from StaySafeOnline.org and DPD to help you stay safe.

As an addition this year, the The National Cyber Security Alliance (NCSA), StaySafeOnline.org, and Data Privacy Day 2016 have included resources to assist victims of Domestic Violence. On this page, there are resources to assist individuals that have been or may still be at risk and would like to regain their personal information and an online presence.

SSL.com would like to wish everyone a safe and private 2016. Any questions or ways we can help you please contact us SSL.com.