Blog Header Banner

Archive for the ‘ssl’ tag

SSL: Protecting Your Website and Customers   3 comments

Posted at Sep 6, 2016 @ 8:47am Web hosting

SSLHero

SSL certificates are crucial for websites that offer anything for sale as they provide a level of privacy and security that is necessary to ensure that customers are comfortable shopping there. In fact, many people will simply leave their full shopping cart in your virtual aisle and refuse to purchase anything from your website if they realize that it does not have an SSL certificate.

Secure Sockets Layer (SSL) is used to transmit private information online in a manner that keeps it private. Customers will know that any information that they provide you is being kept safe from prying eyes if https:// precedes your website address, and a lock icon is located to the left of it. Banks and other major financial institutions have used SSL certificates, which were initially developed by Netscape in 1994, for some time.

 

How Does It Work?

The data that is being sent is immediately encrypted, causing somebody attempting to hack into it to not be able to read it as all they will see is an undecipherable list of letters and numbers. The information will then arrive on the recipient’s end after being unencrypted into its original form so that it can be read and utilized as was originally intended.

Data being sent without the use of SSL certificates could either be hijacked by a hacker and then used for their usually nefarious purposes or it could even be altered en route to its destination without the sender or the recipient realizing that any changes had been made to it.

These digital certificates also ensure that the personal and private data is being sent to the secure site it’s supposed to go to and not being diverted to one that could be malicious.

 

It Works Both Ways

Any information that those running a website send to interested parties is also encrypted when using SSL certificates. These can include newsletters, promotional codes and vouchers as well as any information that you send during the purchasing process that you want to ensure is not intercepted and stolen or altered en route.

 

Indirect Benefits

Using SSL certificates is a wonderful way to increase your website’s search engine optimization (SEO). In 2014, Google announced that it will be giving rankings boosts to websites using this layer of protection. Although having this level of trust in your website is not going to impact the search engine results as much as the quality of your content, it will give you a leg up as far as search engine results go when competing against otherwise similar websites. Google may also increase its importance down the line.

 

Differences

Single certificates cover one domain name. Wildcard certificates are valid for one domain name and any subdomains underneath it. Multi-domain certificates are good for multiple domain names.

Domain validation certificates offer the most basic level of protection; they cover basic encryption and verify that the person whose name or email address is associated with the website has control over it. However, they do not verify exactly who this individual or company is or how much control he or she has over the website’s content or where information sent through it actually goes.

Organization validation certificates provide a more thorough validation process by checking on the applicant’s credentials and doing things like making sure the individual or company’s physical address matches up with the application and that they have a legal right to own and run that website. Businesses should at the very least use this certificate as domain validation certificates just do not provide the safety and trust that is usually necessary.

Extended validation certificates are the ones that offer the most security as a thorough examination is conducted before it is provided, assuring visitors that the individual or company being represented is accurate and that the entity possesses the rights necessary to operate that website. These certificates should be used by any websites that ask customers to provide especially sensitive information such as credit card numbers.

 

Which Certificate to Get?

Websites that garner a low level of traffic and do not ask visitors for information more personal than usernames and passwords can use domain validation certificates. A couple of the main benefits of going this route is that these certificates are more affordable and issued much more quickly.

However, if you are or will be receiving a decent amount of traffic or asking your visitors for any financial information or other sensitive date such as addresses, telephone numbers or social security numbers, you should at least get an organization validation certificate.

The extended validation certificates do provide the most protection and trust, but they are also the most expensive and take the longest to receive. Medium to large organizations tend to be the ones most apt to purchase these, but you should definitely consider it if you are or plan to be in one of those categories.

At TurnKey Internet we offer SSL certificates on all of our hosting plans as well as include a free SSL with every Reseller and SEO package. If you have any questions regarding which SSL solution is right for you or how to get started, feel free to email our support team (helpdesk@turnkeyinternet.net)

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by David Maurer on September 6th, 2016

Tagged with , , ,

DROWN Attacks – Web Encryption No Longer Safe – Is My Web Site at Risk?   no comments

Posted at Apr 28, 2016 @ 9:07am Web hosting

drown-attackEncryption fills the headlines with stories of APPLE and decoding iPhones – but with all the security challenges and cyber threats today – its getting hard pressed to have a web site, computer, or mobile device and not realize your data is as private as you once thought.  Encryption is what protects (hides) the details of what we do online certain web sites – keeping your private banking or purchasing data (or online traffic hidden) from prying eyes.  But last month a new threat called DROWN was publicized that essentially made it so many web sites you shop, visit or utilize that you thought were secure and private via their https SSL encrypted access turned out to not be so private.

DROWN, standing for Decrypting RSA with Obsolete and Weakened eNcryption, is an xample of a cross-protocol attack that exploits weaknesses in the widely used online encryption protocol, SSLv2.  Using weaknesses in the SSLv2 implementations against TLS (transport layer security) hackers can “decrypt passively collected TLS sessions from up to date clients.” Or in simpler terms, hackers and anyone can see what you are doing, your personal details, and more when you thought you may of been protected by that SSL ‘lock’ protected symbol next to the web site you were shopping or visiting.

TLS is probably the most important security protocol on the internet.  Almost every action you take on the internet relies on the use of a TLS version.  Not just you accessing a web site, but a lot of the back behind the scenes things like email transmission, to database connections, to sending files between servers for backups.

Fortunately, the latest versions of OpenSSL do not utilize SSLv2 connections by default.  However, if your certificate or key is being used in another location on a server that supports SSLv2, you could be at risk.  For example, the mail service (POP, IMAP, SMTP connections).

A DRWON attack would be able to decrypt HTTPS connections, sending specifically designed packets to another server.  If the certificate is on more than one server, it is possible a MitM (man in the middle) attack can be successful.

Isn’t SSLv2 depreciated?  Why is this still a threat?  In the early 2000’s SSLv2 was still supported by browsers, to be used as a fallback protocol.  An attacker could easily trick the browser into using an older protocol.  Thankfully, this is no longer an issue if you are using a recent version of your web browser.

While browsers are no longer supporting SSLv2, most servers still do.  Most servers are configured to use both TLS and SSLv2.  This means both protocols would use the same RSA private key.  Therefore, any bugs in the SSLv2 protocol that use the private key, potentially could affect the security of TLS.

While this all may sound a little scary, as most security vulnerabilities are.  TurnKey Internet takes all security avenues very seriously.  Our web hosting servers and software are always kept up to date.  If your account is on any of our shared hosting packages, you have nothing to worry about.  Just in case, you want to test your sites security against DROWN or the server your account is hosted on.  Please feel free to do so here – https://drownattack.com/#check  You will need to use the IP address your site is living on and not your domain name – which you can easily find by using a DNS lookup service such as http://www.getip.com/.

If you need assistance finding your web sites IP, or reviewing your security  please send us a support ticket (helpdesk@turnkeyinternet.net) and we would be happy to tell you.

 

 

 

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

The SSL POODLE that Bites – SSL 3.0 Issues for web sites   no comments

Posted at Feb 22, 2015 @ 11:20am internet security,Web hosting

PadlockWhen I say POODLE, what do you think of? Is it a fluffy dog? In most cases, I would be referring to the fluffy dog, but for this article, we will be focusing on a security vulnerability. I’m not sure if you’re aware, but if you’re currently using SSL version 3.0, you will need to perform some updates to your SSL daemon on your server. SSL stands for Secure Sockets layer. A SSL is what every ecommerce site should have. It allows for you to securely process payments through your website. In fact, if you’re taking orders from your clients, you should be using a SSL. SSL’s add another layer of security and trust for your clients. If you’ve not read my post on PCI compliance and you’re running an ecommerce site, you should read my post on PCI compliance here: (Insert link to PCI compliance post)

 

With SSL’s as with any piece of software on the internet, there are different versions. SSL version 3.0 is nearly 18 years, however, SSL version 3.0 is no longer secure and remains in widespread use across the internet. Nearly all browsers support SSL version 3, and in order to work around bugs, within HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. This retrying of failed connections within SSL v3, allows the POODLE exploit to be initiated. This POODLE exploit works due to the nature of the failed connections and allows for a possible leak of your customers data when processing orders. You can read more about the specifics of the attack here:

 

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

Browsers and websites should turn off SSLv3 in order avoid compromising users’ private data.  The most straight forward method is to disable SSL 3.0 entirely, which you can see how to do at the links below, however, this can cause a myriad of computability issues. Therefore, the recommend plan of option is to enable TLS_FALLBACK_SCSV. Using the links below, they will show you how to properly secure your servers SSL daemon. These options resolve the issue of retrying failed SSL connections. It also prevents hackers with knowhow from downgrading from TLS 1.2 to 1.1 or 1.0.

 

 

For WHM/cPanel servers –  https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

 

For DirectAdmin servers – http://forum.directadmin.com/showthread.php?t=50105

 

For Plesk servers – http://kb.sp.parallels.com/en/123160

 

Share : Facebooktwitterredditlinkedinmail Follow Us : Facebooktwitterlinkedinyoutubeinstagram

Written by Jeremy on February 22nd, 2015

Tagged with , , , , , , ,