Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Website Security Solutions
Showing posts in English
Brook R. Chelmo | 15 Oct 2014 | 7 comments

SSLv3_poodle-300px.png

A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and detailed how it could be exploited through what they called a Padding Oracle On Downgraded Legacy Encryption (POODLE) attack (CVE-2014-3566).

It is important to note that this is NOT a flaw in SSL certificates, their private keys, or their design...

sanjaymodi | 13 Oct 2014 | 0 comments

The next change for SSL Certificates

Certificate Transparency (CT) is a Google initiative to log, audit, and monitor certificates that Certificate Authorities (CAs) have issued.  CT’s intent is to prevent CAs from issuing public key certificates for a domain without the domain owner’s knowledge.  Chrome support for CT requires that all CAs log all Extended Validation (EV) SSL certificates in publicly...

Stefano Rebulla | 17 Sep 2014 | 1 comment

Most of you reading this will immediately connect the acronym “RSA” with the encryption algorithm invented in 1977 by Rivest, Shamir and Adleman and which is still today the most-adopted in Public Key Infrastructure (PKI) systems, such as SSL. Through a mathematical process that remains ingenious even by modern standards its merits are strong, but the world changes very quickly in technology and the paint on the RSA algorithm is starting to crack. Some RSA key lengths have been successfully broken over the years, and RSA-1024 was deprecated by the industry for Public CA use before any hack could be proven, but it would only have been a matter of time.

Today’s regulations mandate a minimum of 2048 bits for keys in public SSL certificates, but since there is no randomization in the RSA process, continuing advances in the mathematics behind breaking RSA may eventually make attacks on longer key lengths feasible. This will not happen for the foreseeable future to 2048 bit keys,...

Brook R. Chelmo | 16 Sep 2014 | 0 comments

The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

Here is what you need to know first:

  1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
  2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them...
Charla Bunton-Johnson | 11 Sep 2014 | 0 comments

Guest Blogger: John Monnett, V.P. & Partner, Secure128
Website Security Platinum Partner

secure128.png

Shopping Cart Abandonment is a Staggering 70%

In 2014 we’re living through an online revolution. When I started my university undergrad work in 1991, there was virtually no such thing as “e-commerce” as we know it today. In 2014, worldwide business-to-consumer ecommerce sales are estimated to reach nearly $1.5 Trillion.

How can those of us SMB owners capture a share of the ecommerce market most efficiently? There are many contributors to that conundrum, but one of the simplest ways to decrease website shopping cart abandonment is by...

Charla Bunton-Johnson | 18 Aug 2014 | 0 comments

Websites using https boosted in google rankings

Often considered the backbone of global business, SMBs are a unique mix of entrepreneurial drive, daring ingenuity and highly customer-centric practices.

SMBs need to compete in the virtual marketplace with players of all sizes, where square footage doesn’t matter; they are forever seeking ways to stay competitive. One arena where they have a greater chance to level the playing field is in the virtual marketplace.  They have more opportunities to take advantage of a variety of digital platforms, from Web-based businesses and social media outlets to SEO to mobile devices, all for a faster time to market. The Internet allows SMBs to use their limited budgets in ways that they can impress customers and help their brand become more relevant and recognized—even amidst enterprises with extensive budgets and brand...

robertckl | 11 Aug 2014 | 0 comments

Introduction

From the server administrators of highly technological organizations, to product managers of financial institutions, down to the one man startup companies that just want to secure their shopping cart, at one stage or another, the same question pops-up: “They all do the same thing, what should we get?”

Fundamentally all SSL certificates do the same thing, encrypt information during SSL/TLS negotiations. Correctly installed and configured, both https:// and the padlock will show.

However picture this:

You want to buy smart phone online. You see three sellers offering the phone at different prices:

US$250 – Zero star rating – no comments

US$375 – Three star rating - with 50% of comments such as “it arrived late”, “It was scratched” and other 50% of the comments, “ok service” and “arrived on time”.

US$400 – Five star rating – with only good comments: “excellent service” and “fast and...

Rick Andrews | 08 May 2014 | 1 comment

Recent revelations from Edward Snowden about pervasive government surveillance have led to many questions about the safety of communications using the SSL/TLS protocol. Such communications are generally safe from eavesdroppers, as long as certain precautions are observed. For example, configuring your web server to avoid using SSL2 and SSL3, favoring newer versions of TLS like TLS 1.2, selecting strong ciphersuites, etc.

But even if your server is configured properly, you still must secure the private key associated with your SSL certificate. In nearly all cases, the web site owner generates their key pair and sends only the public key to their Certification Authority (CA). The CA (and any eavesdropper) sees only the public key, and the private key cannot be derived from that. So the CA cannot reveal a web site owner’s private key to the government or an attacker, even if coerced to do so.

After your SSL certificate has expired and been replaced with a new key pair...

Brook R. Chelmo | 16 Apr 2014 | 1 comment

brook-heartbleed-blog-1.pngOver the past week news about the Heartbleed OpenSSL vulnerability draws some similarities and also some dissimilarities to the Y2K bug; remember that?  In early 1999, there were stories of people building our survival bunkers in the basements of their homes in order to prepare for the potential fallout from the Y2K bug.  As you may recall IT companies scrambled, airlines were fraught with angst , and governments paid very large sums of money to ensure the sky wouldn’t fall down on us.  As we know now New Year’s Day 2000 came and went with nary a hitch, although companies were left to pay some hefty Y2K consultant bills (it was reported at the time that AT&T paid over $500...

Tom Powledge | 09 Apr 2014 | 11 comments

ghp-outbreak-flamer-threat-hero-2.jpg

This week a vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library (http://heartbleed.com).  OpenSSL is widely used, often with applications and web servers like Apache and Nginx.   OpenSSL versions 1.0.1 through 1.0.1f contain this vulnerability, which attackers can exploit to read the memory of the systems.  Gaining access to the memory could provide attackers with secret keys, allowing them to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. Data in memory may also contain sensitive information including usernames and passwords.

Heartbleed is not a vulnerability with SSL/TLS, but rather a...