Blogs

    Publish
     
      • Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names.

        Mar 31 2015, 4:43 PM

        by The SSL Store™ 1

        The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.

        Symantec-Free-San

        Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.

        As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.

        Here are the 3 use case for Symantec SSL certificates:

        • When you enroll with Common Name as www.name-of-site.com , Symantec SSL now automatically secures and adds the non-www version of the same domain (name-of-site.com) as a SAN for free.
        • When you enroll the Common Name as name-of-site.com, Symantec will automatically add www.name-of-site.com as a free SAN.
        • For a wildcard certificate: When the enrolled Common Name is *.name-of-site.com, Symantec will automatically add name-of-site.com as a free SAN.

        Details/Examples:
        1) When the Common Name is www.name-of-site.com

        Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) www.domain.com Yes –add domain.com
        1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) www.domain.co.uk Yes – add domain.co.uk
        2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
        Internal host/IP server.local No

        2) When Common Name is domain.com

        Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) domain.com Yes –add www.domain.com
        1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) domain.co.uk Yes – add www.domain.co.uk
        2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
        Internal host/IP server.local No

        3) When Common Name is *.domain.com (Wildcard SSL)

        Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) *.domain.com Yes –add domain.com
        1-­‐level TLD (such as a gTLD) *.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) *.domain.co.uk Yes – add domain.co.uk
        2-­‐level TLD(such as a ccTLD) *.subdomain.domain.co.uk No
        Internal host/IP *.server.local No

        The following SSL products of Symantec are enhanced from this change:

        Symantec Thawte GeoTrust
        Secure Site Pro with EV SSL Web Server with EV True BusinessID with EV
        Secure Site with EV SGC Supercerts True BusinessID
        Secure Site Pro SSL Web Server ———-
        Secure Site Wildcard SSL Web Server Wildcard True BusinessID Wildcard
        Secure Site SSL SSL123 (DV But Allow) ———-

        *GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.

        • Products
        • Voice of the Customer
        • Symantec Website Security
        • DigiCert Code Signing
        • About Symantec SSL Symantec Web Security
        • Web Security.cloud
        • Security Community Blog
      • Bridging the Gap between IT and the Business with Next Generation Cloud Security

        Mar 18 2015, 11:16 AM

        by Mike Smart 0

        To those of us that have been brought up in the world of IT, there is nothing scarier than users and lines of business choosing and deploying their own IT.  We’ve labeled it ‘Shadow IT’ because it’s technology that is used in the dark, without the knowledge of the IT Department.

        But actually, to the user or the line of business, it’s just innovation. The typically risk-averse IT departments are all about mitigating risk; after all we’ve deployed Anti-Virus, Intrusion Prevention technologies to mitigate the risk of viruses and intrusions. This attitude of preventing risk is making us unpopular and irrelevant to the business, and this is why they often choose to bypass the IT procurement process.

        The fact is, users are more mobile than ever, and are comfortable taking corporate data and storing it on mobile devices or cloud storage applications all in the name of innovation and increased productivity.  Perhaps those of us in IT should find a way to embrace this and at the same time protect the business without imposing impractical policies and process.

        To help you bridge the gap, and allow users and the business to adopt flexible working practices that drive innovation through the adoption of mobility, cloud based systems and infrastructure, Symantec has released Identity: Access Manager.  Symantec™ Identity: Access Manager is a next generation access control platform that offers users and administrators control, convenience, and compliance for cloud-based applications.

        Access manager starts by using Symantec Validation and ID Protection (VIP) and Symantec Managed PKI to bring integrated single sign-on (SSO) and strong authentication to mobile devices. With Access Manager, users can login one-time using a password, PIN, or even a fingerprint to safely access all of their cloud apps and information. This helps secure mobile devices by eliminating bad password practices and gives your users fast, easy access to the resources they need.

        Also, Access Manager provides flexible, easy-to-create connectors and unified identity and context-based access control for virtually any cloud app or service, which means you can enforce your security and compliance policies, log your activities to stay compliant, and ultimately turn those rogue apps into legitimate productivity tools.

        Access Manager is every bit as flexible as it is powerful. You can choose to deploy it on-premise or in the cloud, depending on the needs of your organization. And because Access Manager integrates seamlessly with your existing infrastructure, it reduces complexity by providing a convenient central point for managing all of your different user directories.

        In summary, there are five good reasons to try Symantec Identity: Access Manager in your environment:

        • Ensures control, convenience, and compliance for public and private cloud applications
        • Enhances security with strong authentication and identity/context-based access control
        • Streamlines compliance auditing by consolidating access logs for protected users and applications
        • Boosts users’ productivity with Single Sign-On – one password grants access to all apps
        • Offers flexible deployment options, choose from on-premise or hosted service

        If you want to find out more, visit our home page here:

        • cloud security
        • Security Community Blog
        • User Authentication
        • Web Gateway
        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Identity Access Manager
        • Device Certificate Service
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • VIP (Validation ID Protection)
        • Web Security.cloud
        • Managed PKI for SSL
      • The FREAK Vulnerability; What You Need to Know

        Oct 20 2017, 8:43 PM

        by Unknown 3

        A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. It’s a threat because FREAK allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software and Microsoft's SChannel library, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Web site owners can protect their sites by properly configuring their web servers. End users will need to wait for software vendors to release new versions that include a fix.

        Note that this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended; no certificate replacement is needed.

        Organizations should evaluate their web servers to determine if they are vulnerable.  Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable. At the time of this writing, Symantec is evaluating its own systems and no Symantec web servers appear to be vulnerable.

        Blue Digital Lock 600X.jpg

        Technical Details:

        It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSL documentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

        EXP-DES-CBC-SHA

        EXP-RC2-CBC-MD5

        EXP-RC4-MD5

        EXP-EDH-RSA-DES-CBC-SHA

        EXP-EDH-DSS-DES-CBC-SHA

        EXP-ADH-DES-CBC-SHA

        EXP-ADH-RC4-MD5

        If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

        NULL-SHA

        NULL-MD5

        In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from http://support.microsoft.com/kb/245030:

        SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

        SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

        SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

        SSL_RSA_EXPORT_WITH_RC4_40_MD5

        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

        TLS_RSA_EXPORT_WITH_RC4_40_MD5

        NULL

        We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

        Additional guidance from Symantec

        FREAK is another reminder that website security is not just about certificates. Symantec has numerous articles and white papers on security best practices and technical areas related to SSL/TLS and code-signing issues.  Please stay tuned to our Connect blog site for up-to-date information on this and other critical vulnerabilities, for other topics related to advanced threat protection, and for security industry news.  Please access our learning center for more resources that can help your organization make critical decisions related to web server security.  For technical details to help with troubleshooting please bookmark our SSL/TLS and code-signing knowledge base.

        Update: The FREAK vulnerability was reclassified from LOW to HIGH on March 19, 2015 by the OpenSSL team.

        • Products
        • website security solutions
        • Vulnerability Assessment
        • Symantec Website Security
        • FREAK
        • DigiCert SSL TLS Certificates
        • vulnerability
        • Products and Solutions
      • SSL Market Leadership

        Mar 18 2015, 8:34 PM

        by Ben W. 0

        As you might imagine, the Trust Services team at Symantec found ourselves scratching our heads last week when one of our competitors in the SSL market announced that it was now the “number one” certification authority in the world.  How could this claim be real, we questioned?  After all, for over 20 years, market analysts and customers alike have recognized Symantec as the leading and most trusted provider of SSL certificate products, solutions, and services around the world. 

        With our curiosity piqued, we did a quick check of the most recent market reports and metrics from both Frost & Sullivan and Netcraft, the two most respected SSL market analysts in the industry.  While Frost & Sullivan analyzes the SSL market from a business perspective based on the revenue share of the various competitors, Netcraft actually crawls the Internet to analyze webservers and SSL certificate information to quantify market size and share.

        Their studies continue to show Symantec at the top of the market (see chart below). 

        Worldwide Marketshare for SSL Certificates 2015 Redacted.PNG

        Numbers aside, at Symantec, we believe “leadership” is earned rather than claimed.  Symantec’s success has largely been the result of our award-winning track record of Trust, Reliability, and Speed for our customers.  Over the years, we’ve demonstrated best-in-class OCSP response times allowing for faster and more secure web transactions for online businesses and consumers around the world.  Moreover, the Norton Secured Seal has continuously been displayed over half a billion times per day on websites in over 170 countries, serving as the most recognized trust mark on the Internet.  Over the past 2 decades, during the tremendous growth of Internet activity and increased security threats, Symantec’s global SSL infrastructure has NOT ONCE been compromised, never suffering a breach.  On the other hand, less than a week after this competitor claimed to be “number one” in the SSL market, the U.S. Department of Homeland Security reported on PrivDog, an SSL tampering tool associated with the competitor (see http://www.theregister.co.uk/2015/02/24/comodo_ssl_privdog).

        So we’ll let the market decide, while we continue to do our best for our customers, earning every bit of trust that we can each day.

        • Products
        • DigiCert Code Signing
        • Symantec Enterprise Security
        • Thought Leadership
        • Security Community Blog
        • Symantec Website Security