Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts in English
robertckl | 11 Aug 2014 | 0 comments

Introduction

From the server administrators of highly technological organizations, to product managers of financial institutions, down to the one man startup companies that just want to secure their shopping cart, at one stage or another, the same question pops-up: “They all do the same thing, what should we get?”

Fundamentally all SSL certificates do the same thing, encrypt information during SSL/TLS negotiations. Correctly installed and configured, both https:// and the padlock will show.

However picture this:

You want to buy smart phone online. You see three sellers offering the phone at different prices:

US$250 – Zero star rating – no comments

US$375 – Three star rating - with 50% of comments such as “it arrived late”, “It was scratched” and other 50% of the comments, “ok service” and “arrived on time”.

US$400 – Five star rating – with only good comments: “excellent service” and “fast and...

Rick Andrews | 08 May 2014 | 1 comment

Recent revelations from Edward Snowden about pervasive government surveillance have led to many questions about the safety of communications using the SSL/TLS protocol. Such communications are generally safe from eavesdroppers, as long as certain precautions are observed. For example, configuring your web server to avoid using SSL2 and SSL3, favoring newer versions of TLS like TLS 1.2, selecting strong ciphersuites, etc.

But even if your server is configured properly, you still must secure the private key associated with your SSL certificate. In nearly all cases, the web site owner generates their key pair and sends only the public key to their Certification Authority (CA). The CA (and any eavesdropper) sees only the public key, and the private key cannot be derived from that. So the CA cannot reveal a web site owner’s private key to the government or an attacker, even if coerced to do so.

After your SSL certificate has expired and been replaced with a new key pair...

Brook R. Chelmo | 16 Apr 2014 | 1 comment

brook-heartbleed-blog-1.pngOver the past week news about the Heartbleed OpenSSL vulnerability draws some similarities and also some dissimilarities to the Y2K bug; remember that?  In early 1999, there were stories of people building our survival bunkers in the basements of their homes in order to prepare for the potential fallout from the Y2K bug.  As you may recall IT companies scrambled, airlines were fraught with angst , and governments paid very large sums of money to ensure the sky wouldn’t fall down on us.  As we know now New Year’s Day 2000 came and went with nary a hitch, although companies were left to pay some hefty Y2K consultant bills (it was reported at the time that AT&T paid over $500...

Tom Powledge | 09 Apr 2014 | 11 comments

ghp-outbreak-flamer-threat-hero-2.jpg

This week a vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library (http://heartbleed.com).  OpenSSL is widely used, often with applications and web servers like Apache and Nginx.   OpenSSL versions 1.0.1 through 1.0.1f contain this vulnerability, which attackers can exploit to read the memory of the systems.  Gaining access to the memory could provide attackers with secret keys, allowing them to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. Data in memory may also contain sensitive information including usernames and passwords.

Heartbleed is not a vulnerability with SSL/TLS, but rather a...

Elliot_Samuels | 04 Apr 2014 | 1 comment

homework-blog-1.png

If you need an SSL certificate to protect your website or some other business-critical application such as email or storage systems, then you need to remember your ABCDs.

A is for the Appropriate certificate

There are a few different types of SSL certificate out there for different applications. For example, there are Unified Communications Certs (UCC) and code signing certificates. But the most common type is designed to secure a website, authenticate it and encrypt the traffic between the site and the user.

Within this group there are SSL Wildcard certificates that are ideal if you want to protect multiple subdomains of the same address, for example if you had multiple sites for different languages such as uk.company.com and us.company.com.

For other certificates, you have a choice of Extended Validation certificates which give site...

Jane Broderick | 26 Mar 2014 | 0 comments

netherlands.png‘The attacker still has the upper hand,’ says the Dutch government’s most recent Cyber Security Report. The report continues: attackers are getting smarter, more devices are being connected to the internet and yet many incidents could have been prevented by implementing basic security measures.

The human and business consequences are high. In 2011, for example, internet banking fraud alone resulted in Dutch losses of €35 million, according to the report.  Over 3 million Dutch citizens in 2013 said that they have been victims of cybercrime in the last 12 months according the Norton Cybercrime Report.

In 2012, one in eight Dutch adults were the victim of cybercrime,...

Elliot_Samuels | 05 Mar 2014 | 4 comments

Do you have any intranet sites with a domain name like https://intranet.local? Or a mail server with an address like https://mail? These kind of internal-only domain names are very common but they pose a real problem.

SSL certificates on an intranet

Symantec and other Certification Authorities (CAs) and browser vendors, that make up the CA/Browser Forum have decided to stop issuing SSL certificates chained to a public root which cannot be resolved in the context of the public internet.

This means that domain names need to be globally unique and not just unique on your network. So if you have a .local domain that you use internally, you will soon no longer be able to purchase a validated SSL certificate for this name.

With the emergence of new gTLDs, such as .london, and the likelihood that many of the very common names used to identify server...

Jimmy Edge | 27 Feb 2014 | 4 comments
  1. Choosing based on price. Not all certificate authorities (CA) are the same. The security of your certificates depends in part on how secure the CA is, so it pays to choose wisely. In addition, when you’re installing new SSL certificates you need a company that can provide a full range of services and the backup to make the installation go smoothly. (Symantec secures more than one million Web servers worldwide, more than any other Certificate Authority.)
    10-ssl-mistakes-blog-1.png
  2. Not being prepared. Before you apply for a certificate, you will need...
Brook R. Chelmo | 18 Feb 2014 | 0 comments

For many website owners and network security admins 2013 was the final push to move older websites and servers off of 1024-bit RSA SSL certificates to 2048-bit RSA certificates. This was an industry wide effort and one that was essential to safeguard the future of SSL/TLS. For us here at Symantec it was a year of education, communication, and mobilization.  Although many people were comfortable with SSL certificate administration and the base functions of the technology, many did not understand the core aspects of SSL encryption.  Our webinars, blogs and other publications on the subjects of algorithms and encryption levels became highly popular; and still are.

Now that 2013 has come to a close and the migration from 1024-bit SSL certificates are becoming a distant memory it is time to switch your mind to hash algorithms (e.g. SHA-1) as we embark on another migration to higher cryptographic standards before 2017. Once again this is an industry wide push to ensure...

Andy Horbury | 12 Feb 2014 | 3 comments

Code signing does two things: it confirms who the author of the software is and proves that the code has not been altered or tampered with after it was signed. Both are extremely important for building trust from customers and safely distributing your software.

Why does code signing matter?

556 million adults worldwide experienced some form of cybercrime in 2012, according to the Symantec Internet Threat Security Report. When you consider that the average loss per cybercrime incident is $197, it’s no wonder people are extremely careful when it comes to downloading executable files from the internet. That said, it’s worth doing whatever it takes to gain their trust: online distribution means you can distribute software updates faster, you broaden your potential customer base and you can considerably cut costs since there is no postage or discs and packaging to...