Now more than ever it’s time to move to HTTPS – not just because it’s the secure “cool” thing to do, but because it’s also becoming the standard rather than an afterthought. Scans and crawls in the last six months show HTTPS is growing by leaps and bounds. The barriers that kept people from implementing SSL-based security are things of the past. We now have access to newer and faster protocols, better browser warnings, and many more providers using HTTPS as their standard.
This rapid adoption of HTTPS is not limited to government websites or online shopping. Do you use WordPress to publish your blog posts? WordPress is now rolling out default encryption too.
Just last week my buddy Tom just wrote a bit about Google issuing warnings for websites without a properly installed digital certificate as “Not Secure”, while this week noted security figure Troy Hunt declared we’ve reached the HTTPS tipping point. [Isn’t it time you adopt HTTPS for your site too?]
Please contact SSL.com and find out how we can help you secure your site today.
With a thoughtful, yet decided, hand Google is ushering in a new age of secure Internet communications. Starting this month with the release of Chrome 56, Google will label websites without a properly installed digital certificate as “Not Secure”. Initially, only websites that accept passwords or credit information over HTTP will receive the warning label to the left of the address bar.
But the changes won’t stop there. With the resounding battle cry of “HTTPS everywhere!” the internet behemoth has been urging increased security on the net since June of 2014. “Eventually,” said Google in their September 2016 blog post, “we plan to label all HTTP pages as non-secure, and change the HTTP security indicator to the red triangle that we use for broken HTTPS.”
2017 will be a exciting year for the digital certificate community. One thing we expect to see: more widespread adoption of Certification Authority Authorization (aka CAA).
CAA lets the owner of a domain name designate a specific Certificate Authority (CA), (like SSL.com) to issue digital security certificates for their domain name. This protects websites by helping to prevent mis-issuance of unauthorized certificates.
CAA works by adding small files called Certification Authority Authorization Resource Records (CAA records) as part of the Domain Name System (DNS). These records instruct CAA-compliant certificate authorities how to process requests. CAA is easy to implement and control. Since the owner of any domain already maintains DNS records (to, for instance, point their domain name to the IP address where their site is hosted) they simply add or edit CAA records alongside their other DNS records.
Widespread use of CAA can reduce risk of certificate mis-issuance and protect your domain, website,business and online identity.
The downside: not all certificate authorities currently support CAA (it is currently recommended but not required) and until all CAs adopt CAA it can’t stop every certificate mis-issuance.
That said, we expect CAA to see broader use in 2017, and SSL.com would like you to consider using CAA records for yourself. We’ve written an article to help give a more in-depth understanding of CAA, including how to set up your own CAA records. (If you want even more detail consult the original Internet Engineering Task Force Certification Authority Authorization standards document, RFC 6844 – be warned, it’s not for the faint of heart.)
And as always, please contact us to find out how SSL.com can help you with Certification Authority Authorization today!
On February 10th, Cisco Systems patched a serious vulnerability (a buffer overflow exploit) in their Cisco ASA Software, used in firewalls, routers and other security appliances. This threat could allow a remote, unauthenticated attacker to gain complete control of a targeted system.
With over a million devices in use on the Internet, it’s only a matter of time before nefarious organizations move to take advantage of this opportunity. Although Cisco reports no cases of “malicious use” of this vulnerability in the wild, the Internet Storm Center has noted a large increase in UDP traffic on the port considered most likely to be attacked, and we urge any and all customers of SSL.com that use Cisco ASA devices to update their firmware immediately.
Instructions on how to download the software update to correct this issue can be obtained directly from Cisco here.
A detailed technical report has also been released by security researchers from Exodus Intelligence (the discoverers of the exploit).
Image: Evan Amos
As Bruce Schneier and others have reported, your friends at the National Security Agency’s Information Assurance Directorate (IAD) recently issued a FAQ regarding their new Commercial National Security Algorithm Suite, intended to futureproof national security systems against the looming threat of quantum computing. Among their recommendations is the use of SHA-384 to sign certificates (a step up from SHA-2, the current industry standard ).
One small issue with the IAD’s link to their FAQ – it throws this message when clicked:
A quick check at SSLShopper shows that the certificate for iad.gov uses an obsolete (and dangerous) SHA-1 signature, and apparently has a broken chain of trust to boot – problems serious enough to get red-flagged by all modern browsers.
Further proof, we guess, that security is tough to get perfect – even when you’re a branch of the NSA.
The (insecure-as-of-this-writing) link to the IAD FAQ is here – use at your own risk.