Video Screencast Help
Website Security Solutions
Showing posts in English
Elliot_Samuels | 05 Mar 2014 | 2 comments

Do you have any intranet sites with a domain name like https://intranet.local? Or a mail server with an address like https://mail? These kind of internal-only domain names are very common but they pose a real problem.

SSL certificates on an intranet

Symantec and other Certification Authorities (CAs) and browser vendors, that make up the CA/Browser Forum have decided to stop issuing SSL certificates chained to a public root which cannot be resolved in the context of the public internet.

This means that domain names need to be globally unique and not just unique on your network. So if you have a .local domain that you use internally, you will soon no longer be able to purchase a validated SSL certificate for this name.

With the emergence of new gTLDs, such as .london, and the likelihood that many of the very common names used to identify server...

Jimmy Edge | 27 Feb 2014 | 4 comments
  1. Choosing based on price. Not all certificate authorities (CA) are the same. The security of your certificates depends in part on how secure the CA is, so it pays to choose wisely. In addition, when you’re installing new SSL certificates you need a company that can provide a full range of services and the backup to make the installation go smoothly. (Symantec secures more than one million Web servers worldwide, more than any other Certificate Authority.)
    10-ssl-mistakes-blog-1.png
  2. Not being prepared. Before you apply for a certificate, you will need...
Brook R. Chelmo | 18 Feb 2014 | 0 comments

For many website owners and network security admins 2013 was the final push to move older websites and servers off of 1024-bit RSA SSL certificates to 2048-bit RSA certificates. This was an industry wide effort and one that was essential to safeguard the future of SSL/TLS. For us here at Symantec it was a year of education, communication, and mobilization.  Although many people were comfortable with SSL certificate administration and the base functions of the technology, many did not understand the core aspects of SSL encryption.  Our webinars, blogs and other publications on the subjects of algorithms and encryption levels became highly popular; and still are.

Now that 2013 has come to a close and the migration from 1024-bit SSL certificates are becoming a distant memory it is time to switch your mind to hash algorithms (e.g. SHA-1) as we embark on another migration to higher cryptographic standards before 2017. Once again this is an industry wide push to ensure...

Andy Horbury | 12 Feb 2014 | 3 comments

Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.

Why does code signing matter?

556 million adults worldwide experienced some form of cybercrime in 2012, according to the Symantec Internet Threat Security Report. When you consider that the average loss per cybercrime incident is $197, it’s no wonder people are extremely careful when it comes to downloading executable files from the internet. That said, it’s worth doing whatever it takes to gain their trust: online distribution means you can distribute software updates faster, you broaden your potential customer base and you can considerably cut costs since there is no postage or discs and packaging to...

Andy Horbury | 06 Feb 2014 | 1 comment

We’ve written in the past about this subject but a recent conversation with a customer brought me back to this concept and whilst we often talk about the perils of an infected website or an out-of-date SSL certificate in ominous tones: browser warnings, customers clicking away and loss of reputation and trust; how much of this is based on real customer behaviour?

The University of California, together with Google, recently undertook a study to track real-world clickthrough rates from browser security warnings in two of the most popular web browsers Google Chrome and Mozilla Firefox. The results reveal a much more security-conscious population than you might expect.

Alice in Warningland

The study looked at the malware, phishing and SSL certificate...

Jimmy Edge | 29 Jan 2014 | 0 comments

Update, August 19 2014: Google has now said that the use of SSL is now a positive ranking factor: "over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal." [1]https://www-secure.symantec.com/connect/blogs/better-website-security-and-google-search-rankings-smb-s-always-ssl

 

‘I don’t know of any reason why you[r website] wouldn’t be able to rank with just HTTPS,’ says Matt Cutts of Google.

Always On SSL is a mechanism for ensuring that every interaction with every page of your website is encrypted from the moment a visitor arrives to the moment they leave. This goes beyond using SSL on transaction pages, like sign in...

Sven29 | 23 Jan 2014 | 1 comment

SSL certificates do more than encrypt data, they also authenticate websites. This is an important and fundamental function because it builds trust. Website visitors see the SSL padlock or HTTPS and they believe that the site is genuine.

In the fight against fake sites, phishing and fraud, trustworthy SSL certificates are essential.

This is why domain-validated certificates can be dangerous.

What is domain validation?

Certificate Authorities (CAs) will issue a domain-validated certificate to anyone who is listed as the domain admin contact in the WHOIS record of a domain name. They just send an email to the contact email address and that’s it.

It is the lowest level of authentication used to validate SSL certificates. Higher levels include organisationally-validated and extended validation certificates which require more detailed checks.

Why can...

Jimmy Edge | 16 Jan 2014 | 1 comment

A UK Government public awareness campaign Cyberstreetwise.com launched this week, aiming to help educate UK consumers and small businesses about online security. The campaign, running for three months via radio, outdoor and online advertising, offers tips to help people improve their performance online, and help keep important and personal information safe.

120px_cyberstreet_partners.jpg

We know that most of the UK population are not doing enough to protect themselves, leaving themselves open for cybercriminals to access their data and abuse their personal info, tricking them into downloading malware.

Cyberstreetwise is advising people in the UK to adopt a few simple online behaviours to make them and their families safer, such as:

  1. Using strong, memorable passwords
  2. Installing...
Christoffer Olausson | 09 Jan 2014 | 1 comment

With the rise of Cybercrime, companies are investing significant amounts in Information Security in order to protect themselves, their employees and partners, but in the end that might not be enough.

The most common technology used to protect confidential data in transit is Secure Socket Layer(SSL). Yet is SSL-encryption enough to protect a company from industrial espionage and other malicious activities that would lead to sensitive data falling into the wrong hands? It should be, but that is not always the case. Too many companies ignore the fact that they are responsible for the private key that is required to unlock their SSL-certificate.

There are basically two key components to an SSL-certificate. The public key and the private key. The public key is accessible for anyone to use and it is used to encrypt data. The private key is used by the company to decrypt the data turning it into readable information. If an attacker has full access to the private key; then...

Elliot_Samuels | 19 Dec 2013 | 1 comment

If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.If you use SSL certificates on intranet sites with internal server names, they may not work from 1 November 2015.

For companies with complex infrastructures, the change may be challenging but now is the time to start getting ready.

Local vs. global address

Imagine you have a server on your network. It may have an IP address that is resolvable on the internet, but it’s more likely to have an address that is only valid on the local network, such as 192.168.1.1. It is also likely to have a domain name that is only resolvable on the local network, such as https://intranet.local or https://mail.

Certification challenges

Without unique domain names that can be resolved in the context of the public...