Blogs

    Publish
     
      • The Future of SSL Encryption

        Mar 29 2018, 8:28 PM

        by Stefano Rebulla 1

        Most of you reading this will immediately connect the acronym “RSA” with the encryption algorithm invented in 1977 by Rivest, Shamir and Adleman and which is still today the most-adopted in Public Key Infrastructure (PKI) systems, such as SSL. Through a mathematical process that remains ingenious even by modern standards its merits are strong, but the world changes very quickly in technology and the paint on the RSA algorithm is starting to crack. Some RSA key lengths have been successfully broken over the years, and RSA-1024 was deprecated by the industry for Public CA use before any hack could be proven, but it would only have been a matter of time.

        Today’s regulations mandate a minimum of 2048 bits for keys in public SSL certificates, but since there is no randomization in the RSA process, continuing advances in the mathematics behind breaking RSA may eventually make attacks on longer key lengths feasible. This will not happen for the foreseeable future to 2048 bit keys, but takes us to the next concern.

        ssl-blog.jpg

        Our modern lives rely more and more on smaller devices, down to “smartwatches”, but we still expect our data to be kept secure by them as it would be on our traditional computers. Smaller devices pose two problems though. First, they have comparably low computing power, and second they are used in mobility, meaning they rely on batteries to work, making every minute of battery life truly important.

        With the increasing key lengths required for the decryption of even common services secured by an SSL certificate, there comes an issue about the amount of time and power a small device will need to calculate its share of a certificate key. But help is at hand through Symantec, and has been available for several months now, in a publicly-available production environment. Meet Elliptic Curve Cryptography, a.k.a. ECC, a part of Symantec’s public SSL certificate offering.

        ECC is a newer mathematical algorithm that came into widespread use in 2005, and which solves the two issues above by providing a better level of security through shorter key lengths: an ECC key of only 256 bits will provide a security level comparable to RSA with 3072 bit keys. ECC can further be coupled to other smart encryption technologies such as Diffie-Hellman, and raise the security offered by ECC SSL certificates through a technique called Perfect Forward Secrecy (PFS), where the session keys are “exchanged” periodically and implicitly and therefore even a captured encrypted data stream will at best only be decipherable in part. Thus, the eavesdropper stands a minimal chance of guessing a quantity of session keys that would make any sense out of the data in his possession.

        Are you unsure about leaving your users on legacy systems in the dark at this point? Webservers like e.g. Apache can be configured to serve both ECC and RSA intermediates, guaranteeing that the certificate chain will still function correctly to anyone on legacy systems. Symantec is already using ECC roots so we are well-equipped for the future. And using ECC SSL will decrease your power bill, because the math needed in the process is calculated easily by modern processors since the functions are built in.

        So, with Symantec’s SSL certificates you have access to the future of encryption today, allowing you to save on your server resources, providing higher security to your users, and a better (and faster) user experience especially when in mobility. At Symantec our prime mission is to keep ahead of the next big thing in digital security, so you can do what you do best: your business. Do get in touch; we’d love to hear from you.

        • Products
        • website security solutions
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Google’s SHA-1 Deprecation Plan for Chrome

        Oct 20 2017, 8:36 PM

        by Brook Chelmo 1

        The latest news in the SSL and web browser industries is Google’s plans to deprecate SHA-1 in a unique way on upcoming releases of Chrome starting with version 39. Considerably different from Microsoft’s plans that were announced in November 2013, Google plans on placing visual marks or placing a block within the browser; all based on the version of the browser, date of use and certificate’s expiration date.

        Here is what you need to know first:

        1. SHA-1 is still safe to use but critics say its long-term ability to stand up to collision attacks is questionable.
        2. SHA-2 is the next hashing algorithm to be used.  If your end-entity or intermediate certificates are SHA-1, it might be a good idea to exchange them now.
        3. This issue faces all Certification Authorities, not just Symantec.
        4. All SHA-1 end-entity certificates and SHA-2 end-entity certificates chaining up to a SHA-1 intermediate are affected. SHA-1 root certificates are not affected by either Microsoft’s or Google’s SHA-1 deprecation plan.
        5. Google is using three terms that you may want to familiarize yourself with:
          1. secure, but with minor errors,
          2. neutral, lacking security, and
          3. affirmatively insecure.
        6. Symantec offers free replacements for affected Symantec SSL certificates.

        What we expect to see with future Chrome releases:

        Chrome 39 (Beta release: 26 September 2014, tentative production release: November 2014):

        1. Any SHA-1 SSL certificate, on a page, that expires on or after 1 January 2017 will be treated as “secure, but with minor errors”.  The lock within the address bar of the browser will have a yellow arrow over the lock as in this example provided by Google:

        google-blog-1.png

        Chrome 40 (Beta release: 7 November 2014, tentative production release: post-holiday season):

        1. Pages secured with a SHA-1 certificate expiring between 1 June 2016 and 31 December 2016 inclusive will experience the same treatment as described above.
        2. Additionally, pages secured with a SHA-1 certificate expiring after 1 January 2017 will be treated as “neutral, lacking security”.  The lock in the address bar will be replaced by a blank page icon as in this example provided by Google:

        google-blog-2.png

        Chrome 41 (Q1-Q2 2015):

        1. Sites secured with a SHA-1 certificate with validity dates terminating between 1 January 2016 and 31 December 2016 inclusive will be treated as “Secure, but with minor errors.”
        2. Sites secured with a SHA-1 certificate expiring on or after 1 January 2017 will be treated as “affirmatively insecure”.  The lock will have a red “X” over it with the letters “HTTPS” crossed out with a red font as in this example provided by Google.

        google-blog-3.png

        Here is a matrix to help you understand the dates:

        Sample Expiration Dates

        Chrome Version (Beta dates)

        SHA-1

        (Dec 31 2015)

        SHA-1

        (Jan 1 – May 31  2016)

        SHA-1

        (Jun 1 – Dec 31 2016)

        SHA-1

        (Jan 1 2017 and beyond )

        Recommended:

        SHA-2

        Chrome 39

        (Sept. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-4.png

        Chrome 40

        (Nov. 2014)

        google-blog-4.png

        google-blog-4.png

        google-blog-5.png

        google-blog-6.png

        google-blog-4.png

        Chrome 41

        (Q1 2015)

        google-blog-4.png

        google-blog-5.png

        google-blog-5.png

        google-blog-7.png

        google-blog-4.png

        Moral of the story: Move to SHA-2, especially if your SSL certificate expires after December 2015.

        What you need to do.

        1. Use our SSL Toolbox to see if your certificates are affected.  SHA-1 SSL certificates expiring before 2016 are NOT affected and can be replaced with a SHA-2 certificate at renewal time if you wish.
        2. If your Symantec certificates are affected you can replace them at no additional charge for a SHA-2 certificate, or a SHA-1 certificate with a validity that does not go past 2015.  Check with your vendor if they have a free replacement program like Symantec.
        3. Install your new certificates.
        4. Test your installation using the SSL Toolbox.
        5. Security Best Practice:  Revoke any certificates that were replaced in step #2.

        For more in-depth information, instructions, and assistance please refer to our knowledge center article on this subject.  For a list of SHA-2 supported and unsupported applications review this list from the CA Security Council.

        Read our SHA-2 webpage for the tools, steps to take, and a list of FAQs that can be generally applicable across all browsers.

        • Products
        • Google Chrome
        • website security solutions
        • Symantec Website Security
        • SHA
        • SHA-1
        • chrome
        • DigiCert Complete Website Security
        • Products and Solutions
        • Google
      • Extended Validation Solutions for SMB Ecommerce success: Secure128

        Mar 29 2018, 10:35 PM

        by Charla Bunton-Johnson 1

        Guest Blogger: John Monnett, V.P. & Partner, Secure128
        Website Security Platinum Partner

        secure128.png

        Shopping Cart Abandonment is a Staggering 70%

        In 2014 we’re living through an online revolution. When I started my university undergrad work in 1991, there was virtually no such thing as “e-commerce” as we know it today. In 2014, worldwide business-to-consumer ecommerce sales are estimated to reach nearly $1.5 Trillion.

        How can those of us SMB owners capture a share of the ecommerce market most efficiently? There are many contributors to that conundrum, but one of the simplest ways to decrease website shopping cart abandonment is by increasing the level of trust that visitors have in your website—from the moment they arrive. Shopping cart abandonment rates average a staggering 70%, and a key driver of abandonment is lack of visitor trust at the moment of truth: the transaction.

        How Can SMBs Compete and Reduce Shopping Cart Abandonment?

        Most SMB website operators don’t have the same level of brand recognition and trust that companies like Ebay, Bank of America and Symantec have built over time. Instead, sites like ours only have a brief moment to establish the same, irrefutable level of confidence as the big names.  We need to leverage a combination of credible tools like the Extended Validation green bar, an HTTPS “always on” encrypted site and trust seals from Symantec, the leader in online trust. They help us:

        • Secure our websites properly

        • Prove our legal identity to visitors

        • Align our web properties with the most recognizable security brands

        We do business with Symantec because they have an extensive portfolio full of “Right for Me” solutions to help Secure128 and our customers. They have the right solution for every SSL/website security need to help inspire the same level of trust as our larger, widely recognized competitors and to level the playing field.  So instead of trying to compete on brand recognition against the larger, more established companies, we can absolutely compete on trust and security.    

        Always On SSL + Extended Validation: A Powerful Advantage for SMBs

        Securing our websites is most effectively done with encryption via SSL Certificates. And now “Always On SSL” with HTTPS encryption is becoming the security standard of web giants such as Paypal, twitter, facebook, etc. Even to the point that now Google is boosting rankings for HTTPS/SSL websites . Deploying SSL certificates across all website properties is no longer an option; it’s a requirement of operating an effective and secure business online. From a revenue increase perspective, the problem is that basic SSL certificates (also called DV or Domain Validated SSL) provide encryption only. The biggest mistake most website operators make is only encrypting their websites and providing visitors no way of verifying their true business identity.

        For example, when shopping online for that perfect gift, your search lands you on a website you’ve never heard of with no easy way to verify who really owns and operates the website. Only Extended Validation (EV) SSL Certificates were created to bridge the gap between encryption AND ownership validation of websites. EV SSL Certificates not only verify domain ownership, but also the legal and governmental business registration status of the certificate/website owner. This information is then displayed at the browser URL level:

        Green bar URL image corrected.jpg

        A simple click on the padlock will verify the physical location where each EV SSL website organization is registered to do business. The EV SSL functionality standards are standardized by a Certificate Authority / Browser regulatory group, and audited annually for Webtrust certification. Now, what does this mean to a website visitor and potential online customer? It means that no matter how non-technical they may be, the green URL bar displaying the website’s legal owner is going to be hard to miss, and has been proven to instill more trust in the website’s visitors and increase conversion rates.

        The Leader in Online Trust, Always the Right Solutions

        With every Certificate Authority offering their own brand of EV SSL options, decisions in making the selection that is right for your business comes down to both price and which brand is going to be most recognizable to your site visitors. In an independent 2013 survey by the Baymard Institute, all three of Symantec’s EV capable SSL branded site seals were ranked in the top 7 most recognized (Symantec, thawte & GeoTrust).

        When you look at Symantec’s complete solutions portfolio, you’ll see the widest range of value, functionality and proven results for Symantec’s three SSL brands, especially when it comes to EV products. Symantec is is quite flexible for all website budgets making it easy to choose the right solution for you. For high volume web properties, brand recognition and performance issues take priority which makes Symantec’s industry-first Elliptic Curve Cryptography (ECC) Algorithm my EV SSL option of choice for larger e-commerce sites.

        In the bigger picture, all of us web based business operators are trying to achieve similar goals of growing website traffic, boosting conversion rates, and increasing our online sales revenues. All of us invest significant resources into our websites in terms of design & development, marketing, advertising, security, etc.

        Given those common goals, if I could tell you that by converting your entire sitemap to HTTPS using Extended Validation SSL from one of Symantec’s globally recognized brands (Symantec, thawte, or GeoTrust), you could significantly increase your online sales revenue and only increase your annual budget by a fraction of a percentage…   would you do it?

        My fellow website operators, that’s exactly what I’m telling you!

        • Products
        • website security solutions
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • SHA1 certificate shown as insecure or with mix content warning on Google Chrome 39

        Sep 09 2014, 8:59 AM

        by Robert Lin 1

        As of late 2014, SHA1 certificates and it's SHA1 trust chain (not including the Root CA) will be considered insecure by Google Chrome.

        A three step process will increase the severity of the warning:

        1. Initially SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon.  This is a lock with a yellow triangle alert icon
           
        2. Severity will increase thereafter, where:  
          SHA1 certificates that expire between 2016/6/1 and 2016/12/31, inclusively, and which contain SHA-1-based signatures in the validated chain, will be shown the "Secure, but minor errors" icon. This is a lock with a yellow triangle. alert icon

          SHA1 certificates that expire on/after 2017/1/1, and which contain SHA-1-based signatures in the validated chain, will be shown the "Neutral, no security" icon. This is the blank page icon, as shown by HTTP URLs. Blank page icon
           
        3. Finally Chrome will render websites with SHA1 certificates that expire on/after 2017/1/1 and which contain SHA-1-based signatures in the validated chain, with the "Affirmatively insecure, major errors" icon. The "Affirmatively insecure, major errors" icon is a lock with a red X. red https
           

        To resolve this issue SHA2 certificates must be installed.

        Google: Gradually sunsetting SHA-1

        What about the Cross Root Chaining? For example:
        Chain one : >>    (1) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca1(N/A)
        or
        Chain two : >>    (2) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha1)<- ca2-ca2(N/A)

        or
        Chain three: >>   (3) example.org-int1(sha256) <- int1-ca1(sha-256) <- ca1-ca2(sha256) <- ca2-ca2(N/A)

        As per Ryan from Google:

        "On all of our platforms, it will prefer (1) if ca1 is trusted. It would only go to (2) if ca1 is not trusted.
        On the platforms where this is the case, the peer supplying ca1-ca2(sha256) as part of the handshake ensures that (3) is preferred, if ca2 is trusted."

        • Products
        • Google Chrome
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • Symantec Website Security
        • SHA1
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • Security Community Blog
        • SHA256
        • Google