Blogs

    Publish
     
      • Website security increases conversions by fostering trust

        Nov 19 2015, 5:56 PM

        by Melanie Pracht 1

        People need to trust you and your website before they will buy from you. It should go without saying – after all who buys from someone they don’t trust? But website owners have so many things to deal with that it’s easy to overlook this fundamental point.

        This is why Symantec recently commissioned a survey from YouGov to find out just how worried people are about the security issues of shopping online and to understand the impact of different signs of website security on their willingness to buy.

        Customers are concerned

        Almost two thirds (62 percent) of respondents answered ‘yes’ when asked if they had ever not completed a purchase because they did not trust the website. On top of that, 43 percent of respondents said they are ‘very’ or ‘fairly’ worried about the security issues of shopping online.

        Thanks to a combination of high-profile website hacks and data leaks and the growing sophistication of cybercriminals’ tactics, people have good reason to be worried about issues like identity theft and credit card fraud.

        This speaks directly to the importance of website security: tools and processes that can reassure customers that they are giving their details to someone they can trust and that they are transmitting their data securely.

        Powerful padlocks

        The survey went on to explore the influence of SSL/TLS certificates on our respondents’ willingness to complete an online purchase and, in particular, the power of the padlock and ‘https’ that you see in the address bar of a site that is protected by SSL/TLS.

        You might not think many people look at their browser address bar, but 61 percent of respondents said that they do pay attention to it when they’re purchasing an item online. And not only that, but 79 percent said that they would feel more confident to make an online purchase if there was a padlock in the address bar.

        The image we showed our respondents included a green padlock, which indicates the example site has Extended Validation SSL/TLS, which lends credibility not just to the website, but to the website owner as well.

        Timeless trust marks

        We also looked into the impact of trust marks, which indicate a site is protected by SSL/TLS certificates issued by a particular third-party Certificate Authority.

        While the confidence elicited by the padlock and ‘https’ was stronger for younger shoppers, the Norton Secured Seal made people across every age range and nationality in our survey feel more confident. 

        Norton Secured Seal_1_0.PNG

        This is particularly important when you consider that the global spending power of those aged 60 and above will reach $15 trillion by 2020, according to Euromonitor. To stand a chance of getting a slice of that growing pie, your website security has to speak to shoppers of every age.

        Trust is a tricky business

        Symantec’s full report explores how website security can help you build trust with your customers and how conversions will drop when that trust is broken. Download the report today and learn the value of your customers’ trust and find out how to earn it.

        • Products
        • DigiCert Code Signing
        • Security Community Blog
        • Symantec Website Security
      • Most Dangerous Web Application Security Risks

        Sep 02 2015, 4:01 AM

        by Sathya Narayanan Balakrishnan 1

        As everybody know the top 10 dangerous web app security risks:

        1. Injection flaws
        2. Cross - site scripting
        3. broken authentication and session management
        4. insecure direct object reference
        5. cross site request forgery
        6. security misconfiguration
        7. insecure cryptographic storage
        8. failure to restrict URL access
        9. insufficient transport layer protection
        10. Invalidated redirects and forwards

        Being an new techie to Symantec and Symantec products, may I know what are Symantec's contributions, updates for these security risks?

        May I also ask everyone to kindly share an example of an incident which you may came across in the past, where one of these security risks wasn't detected which ended up in major chaos.

        Many thanks

        Best regards

        Sathya Balakrishnan

        Information Security Response Analyst

        Symantec  Norton.png

        • Symantec Security Information Manager
        • Voice of the Customer
        • Endpoint Encryption
        • DigiCert Code Signing
        • Security Community Blog
        • Web Gateway
        • Products
        • 12.x
        • Malware Scan
        • Vulnerability Assessment
        • Symantec Website Security
        • DigiCert SSL TLS Certificates
        • Endpoint Protection
        • Web Security.cloud
      • Industrial Internet 4.0

        Jul 15 2015, 6:35 AM

        by Brian Witten 2

                    This quick post simply seeks to set context for software leaders hoping to help with the Industrial Internet, or “Industry 4.0” as many say in Europe, just highlighting a few points commonly missed by software leaders first stepping into industrial settings, particularly with the recent multi-hundred billion dollar projections on the size of the market for industrial internet software.

                    Unfortunately, many of us with strong backgrounds in software don’t often realize the scale of time and cost at which most industrial plants operate.  Relining a blast furnace can cost $100M.  In auto manufacturing, each minute of downtime for a manufacturing plant costs $22,000 on average.  That’s $1.3M per hour, nearly three times more expensive than unplanned downtime costs for the average Information Technology (IT) organization.  Some pipelines move $32,000 of oil per minute.  That’s over $1.9M per hour.  In that context, it’s no wonder that plant operations teams often view planned and unplanned maintenance with a bit more intensity than most IT teams.  It’s also no wonder that companies are investing aggressively to optimize systems where a 10% improvement can produce gains of more than $200M per year for typical manufacturing plants.  It's equally clear why "security" means "availability" to these operational teams who have so much need to protect the uptime and integrity of these systems.  That's in direct contrast to traditional Information Technology (IT) teams who often must protect "confidentiality" and "secrecy" at the cost of uptime.  That's an important distinction as manufacturing companies look to carefully leverage these smart technologies to improve their performance.

                    According to many, the past 350 years of manufacturing are marked by three revolutionary advances: the steam engine for generating mechanical power, then electrification of manufacturing, and most recently, digitalization of manufacturing through simple Programmable Logic Controllers (PLC).  Many industrial leaders in Europe believe that they can produce a “fourth” such leap, “Industry 4.0,” by lashing digital manufacturing systems into highly virtualized, decentralized, and modular, plants leveraging interoperable real-time systems to yield “smart” factories which outperform current manufacturing plants by the same degree to which mechanization, electrification, and digitalization have improved manufacturing in centuries past.  Beyond “linear” improvements such as the “10%” mentioned above, such digitally “integrated” plants will have the flexibility and agility to not only keep pace with increasingly nimble competition, but to stay ahead of them.

                    Of course, that connectivity brings both tremendous promise and risk.  Having belabored pipeline explosions and steel blast furnace damage from cyber attacks in past posts, I won’t repeat myself here, especially since Symantec has already given the “Dragonfly” attacks against Western energy companies such great in depth coverage.  However, I will promise here that next month’s blog will propose a path “forward” for security of such next generation Industrial Control Systems (ICS), not only leveraging the cornerstones of security for the Internet of Things (IoT), but also describing how they can be applied to the ICS of the Industrial Internet and Industry 4.0.  In the interim, if you’re impatient, feel free to read up on our latest security solutions for embedded systems at www.symantec.com/iot.

        For more reading:

        http://www.symantec.com/iot

        http://blogs.wsj.com/corporate-intelligence/2014/01/28/times-have-changed-new-plan-for-a-century-old-u-s-steel-mill/

        http://news.thomasnet.com/companystory/downtime-costs-auto-industry-22k-minute-survey-481017

        http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat-energetic-bear

        http://articles.latimes.com/2010/aug/10/nation/la-na-alaska-oil-20100810

        http://www.prnewswire.com/news-releases/global-iot-platforms-and-software-market-2015-2020-300082499.html

        http://www.acatech.de/fileadmin/user_upload/Baumstruktur_nach_Website/Acatech/root/de/Material_fuer_Sonderseiten/Industrie_4.0/Final_report__Industrie_4.0_accessible.pdf

        http://www.inc.com/yoav-vilner/store-downtime-the-ecommerce-kiss-of-death.html

        http://www.datacenterdynamics.com/critical-environment/one-minute-of-data-center-downtime-costs-us7900-on-average/83956.fullarticle

        http://www.stratus.com/stratus-blog/2014/09/26/how-downtime-impacts-the-bottom-line-2014/

        http://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime/

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • Hospitals Breached via Medical Devices?

        Jun 25 2015, 4:18 PM

        by Brian Witten 5

        Many were surprised to read that extremely sophisticated and expensive medical devices, such as X-Ray machines and Blood Gas Analyzers, had been used as a pivot point in more broadly penetrating IT systems in three hospitals.  Even though general vulnerability of networked medical devices has been well known, these are the first documented cases where such devices were used as pivot points for broader lateral attacks into the rest of the hospital. 

        With such exploitation now reported, I’d like to help “peel the onion” on why such obvious problems have been practically impossible to fix for so long.  Surprisingly, the answer has nothing to do with technology.  Many of these systems actually, believe it or not, run well-known software “under the hood,” such as various flavors of Windows and Linux.  Sadly though, these extremely important machines are almost never updated with the latest security patches.  Such risks aren’t a secret in hospitals.  The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more.  In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.

        Of course, any PC in the hospital, just like your laptop, has countless defenses against such malware.  Well-patched machines running effective, up-to-date anti-virus software are well protected against such malware and hacker attacks.   Unfortunately though, for regulatory or policy reasons, hospitals are not allowed to patch medical devices, even medical devices running Windows or other commercial software.  Similarly, hospitals are not allowed to install any additional software on these medical devices, even security software essential for protection.  The original logic stems from good reason.  Medical equipment, including its software, must undergo formal testing and be determined safe for patients.  Changing the software in any way, including patches, or adding software without explicit approval by the manufacturer can change the behavior of the device in ways that could endanger patients.  For such reasons, regulatory restrictions prohibit tampering with medical equipment, even if the tampering is intended to protect the equipment and ultimately protect the patients.

        How big are the risks?   Obviously there is no risk of “banking information” being stolen from an MRI.  However, some of the machines are so vulnerable that they may crash when they experience unexpected behavior.  Chris Eng, VP of Research at Veracode, recently tweeted that an MRI machine crashed when simply scanned for vulnerabilities, or other researchers have reported that a simple SNMP inquiry could “tip over” medical equipment. Of course, not all medical devices are that sensitive, but none of these devices should be so vulnerable.  When a device becomes infected, either as an entry-point, pivot-point, or just as part of a broader infection, we need to be concerned about the potential consequences. Critical system controls may get altered and could result, for example, in an excessive radiation dose from a CT scanner.  Vulnerabilities found in insulin pumps have been shown to be outright lethal.

        Another concerning scenario would be that of a targeted attack on a medical device, for example to harm a specific patient or the reputation of a hospital. Although no such cases have been documented or reported to date, security researchers have demonstrated risks for Pacemakers (Kevin Fu), Insulin Pumps (Jerome Radcliffe) and Infusion Pumps (Billy Rios), the latter resulting in an advisory from Homeland Security’s ICS-CERT and a patient safety communication from the FDA.

        What is being done?  In 2014, the FDA issued guidance to medical equipment makers regarding cybersecurity for the medical devices that they make and sell.  I’m sure we’ll see further guidance, and potentially even enforcement, in years to come.  Device makers need to design in the cybersecurity as well as capability to update devices “in the field,” and need to work with regulators on a process whereby it is easier for such updates to be provided to their customers.  At the same time, hospitals are working on their processes to build a more secure medical device infrastructure.

        Could such a strategy work?  Will it?  Do you like the approach, or does it worry you?  Either way, I’d love to hear your thoughts.  Feel free to email us anytime at iot@digicert.com and visit us online at www.symantec.com/iot.

        For more reading:

        www.symantec.com/iot

        https://securityledger.com/2015/06/x-rays-behaving-badly-devices-give-malware-foothold-on-hospital-networks/

        http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices-in-hospitals/

        http://deceive.trapx.com/AOAMEDJACK_210_Landing_Page.html

        http://www.computerworld.com/article/2932371/cybercrime-hacking/medjack-hackers-hijacking-medical-devices-to-create-backdoors-in-hospital-networks.html

        https://twitter.com/chriseng/status/610412829405941760

        http://www.wired.com/2015/04/drug-pumps-security-flaw-lets-hackers-raise-dose-limits/

        http://go.bloomberg.com/tech-blog/2012-02-29-hacker-shows-off-lethal-attack-by-controlling-wireless-medical-device/

        http://www.newscientist.com/article/dn1920-internet-data-at-risk-from-language-flaws.html

        www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM356190.pdf

        http://news.bbc.co.uk/2/hi/7735502.stm

        • Products
        • Critical System Protection
        • Symantec Enterprise Security
        • Thought Leadership
        • Device Certificate Service
        • Identity and Authentication Services
        • IoT
        • healthcare IT
        • Security Community Blog
        • Managed PKI for SSL
      • Microsoft’s launch of Certificate Reputation

        Apr 17 2015, 9:51 PM

        by Dean Coclin 0

        A few weeks ago, Microsoft launched a new addition to their Bing Webmaster Tools which allows website operators to monitor their web domains to help insure there are no improperly issued SSL certificates.

        This is a great benefit to those owners because:

        1. It’s easy to use and Microsoft monitors this for free

        2. The Certificate Authorities do not need to do anything special. Certificates are automatically monitored by Microsoft

        3. It’s integrated into the Bing Webmaster toolset. There is no need to sign up separately for the service

        4. It works for all types of SSL certificates, not just EV

        However, there are a few limitations today:

        1. This is currently a “preview” and only collects data from users on Windows 10 which itself is currently only in a preview release. Hence the data is limited. However, this will improve with the formal release of Windows 10.

        2. The data that Microsoft is gathering is not made public which prevents the public at large from also seeing the certificates. However, the need being addressed is that of website owners.

        More details are in this Microsoft blog.

        Trust continues to be enhanced in the Browser/Certificate Authority ecosystem (as discussed in this prior blog) and Certificate Reputation is another tool (along with Certificate Authority Authorization-CAA, Certificate Transparency-CT, and Public Key Pinning) along this path.

        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Symantec Website Security
        • SSL
        • Identity and Authentication Services
        • DigiCert Code Signing
        • certificates
        • Security Community Blog
      • DV SSL Certificates and Ecommerce don't mix

        Mar 29 2018, 10:31 PM

        by Dean Coclin 0

        Symantec’s just released Internet Security Threat Report shows that cybercriminals have been busier than ever. And social engineered attacks are one vector that continue to see growth due to the likelihood of success. Although the attacks come in different forms, one approach fools unsuspecting users to click a link which takes them to a “look-a-like” website. That imitation site is typically a highly-phished domain, (i.e. Apple ID or a popular bank or credit card site). But now, to prove their legitimacy, phishers obtain Domain Validated (DV) SSL certificates because they know that consumers have been trained to look for the padlock or “https” in the browser URL window. The appearance of this lock further legitimizes the attack and tricks consumers into disclosing their credentials or banking/credit card details.

        There are three types of SSL certificates, each requiring a different level of authentication: DV, OV and EV. Understanding the differences among each SSL certificate type is important to help prevent falling victim to scammers. For example, DV certificates are quick and easy to procure and don’t require any type of information indicating the person trying to get the DV certificate actually represents a legitimate business. Fraudsters often use DV certificates to lure consumers to phishing websites that look authentic but are designed to steal sensitive information. For this reason, doing any type of ecommerce transaction on a DV-only site poses risk. While there are appropriate use cases for DV certificates, it’s important to know how cybercriminals are taking advantage of DV certificates to conduct phishing scams and how to protect against these types of cybercriminal attacks.

        Online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, consumers will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, however, is half the battle. 

        • Products
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL
        • Identity and Authentication Services
        • DigiCert SSL TLS Certificates
        • Security Community Blog
      • Enhancing Trust in the CA/Browser System

        Apr 13 2015, 5:40 PM

        by Dean Coclin 0

        Stop Hand.jpg

        Browsers and Certificate Authorities are in the news again over the reported mis-issuance of an SSL server certificate to google.com domains. Discovered by Google most likely via technology known as key pinning and discussed by Google’s Adam Langley in this blog, a Chinese certificate authority, CNNIC (Chinese Internet Network Information Center), apparently issued an intermediate certificate to an Egyptian company called MCS Holdings. Because the CNNIC root certificate is included in the root store of most major browsers, users would not see any warnings on sites that have certificates issued by CNNIC or MCS Holdings. When MCS installed their intermediate into a Man in the Middle (MITM) proxy device, that device could then issue certificates for sites which users connected via that proxy would visit.

        There are several violations of the CA/B Forum Baseline Requirements and Mozilla Root Program Requirements here. First, Mozilla specifically prohibits using public roots for MITM applications. (While there may be legitimate corporate use cases for these proxy devices, using public root certificates as part of the implementation is prohibited and is a violation of public trust). Second, any sub CA certificates (issued from the Root) must be publicly disclosed and audited or be technically constrained(using the technology known as “name constraints” which limits the domains which the CA can issue to. Neither appears to be the case here. Third, indications are that the key was not generated and stored in a proper Hardware Security Module (HSM). There are several other mistakes as well but these are the major ones.

        CNNIC documents show that the sub CA certificate was only issued for a short duration and was to be used for test purposes only. While this may be the case, it ignores the reality that the misuse of such a certificate can cause great harm to end users. Users can be deceived to go to a fraudulent website and have their credentials stolen. The fact that bogus certificates found their way onto the public Internet due to this “test” makes it clear that improper controls were in place at both CNNIC and MCS Holdings as well as a limited understanding of the rules surrounding public CAs.

        The major browsers quickly moved to un-trust the MCS Holdings certificate to protect their users from potential fraud. MCS sent a report to Mozilla with their assessment of the situation. Google has announced that they are taking action to distrust the CNNIC root certificates.  Google will “whitelist” all existing CNNIC certificates and has provided a path for re-inclusion into their browser by insisting all future certificates use Certificate Transparency.  Firefox will be updated to distrust any CNNIC certificate with a notBefore date of April 1, 2015. The current CNNIC root will remain in the Mozilla root store to validate current certificates and CNNIC can reapply for full inclusion but may be subject to additional scrutiny and controls during the process. This is essentially a punishment for violating the Baseline Requirements and the Mozilla root program rules.  Microsoft is still evaluating whether to take further action than just distrusting the MCS Holdings Intermediate certificate. No word from Apple so far.

        Three recently introduced technologies and controls namely Certificate Authority Authorization (CAA) and Certificate Key Pinning (HPKP), which are designed to prevent mis-issuance, and Certificate Transparency (CT) which is designed to detect mis-issuance, significantly raise the level of security of the CA/Browser cryptography system. CT and HPKP are being implemented by some browsers and CAA is a function that CAs will have to deploy.

        What is the lesson learned here? Not all CAs are created equal. Clearly CNNIC broke the rules and got caught. Whether it was intentional or not is being debated in the public. It doesn’t appear from the evidence that this was intentionally malicious. Symantec and all the SSL issuing CAs are held to high standards with regard to the ecosystem rules including CA/B Forum Baseline Requirements, Network Security controls, and Mozilla, Microsoft, Google, Apple and other root program requirements. We have strict controls in place to insure sub CA certificates are either disclosed or constrained, have strong and knowledgeable vetting and authorization teams, obtain regular audits from accredited WebTrust auditors and work closely with the major browser vendors in the CA/B Forum. While we do issue sub CA certificates to third parties, we are well aware of the strict rules surrounding this practice and the need to remain vigilant. Symantec supports the use of CT, CAA, and HPKP technologies and urges adoption by all participants in the ecosystem.  In the end, it matters which CA you choose so pick one that has a long track record and invests in its infrastructure to insure its customers are protected.

        • Products
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • SSL Certificates: What Consumers Need to Know

        Apr 29 2015, 11:24 PM

        by Dean Coclin 1

        In 1994, the first online purchase crossed the World Wide Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the next 20 years, e-commerce has exploded into a bustling economy, exceeding $1.2 trillion in sales in 2013.

        This growth in online purchases rests upon a foundation of trust. People trust that the websites they use to track finances and make online purchases are secure and legitimate largely because of Secure Socket Layer (SSL) certificates- otherwise known as that little green padlock in the URL bar of the browser.

        SSL certificates verify that the provider is who they claim to be and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are created equal.

        Different types of certificates

        Website owners purchase SSL certificates through Certification Authorities (CA). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the safety padlock in the URL bar of a browser, along with the HTTPS (“S” indicating “secure”) in the address bar,  the levels of security between types of certificates differ greatly. This is why it is important to understand what kind of SSL certificate a site is using when looking to perform financial transactions or anything involving personal user data.

        • Domain validated (DV): This simply verifies who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify their identity. No information about the company itself is required. Cybercriminals commonly use DV certificates because they are easy to obtain and can make a website appear more secure than it actually is. For instance, fraudsters may use DV certificates to lure consumers to phishing websites that look authentic, or to cloned websites that look legitimate, but are designed to steal sensitive information.
        • Organizationally validated (OV): To receive an OV certificate, a CA must validate certain information, including the organization, physical location and its website’s domain name. This process typically takes a couple of days.
        • Extended validation (EV): This certificate has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity and checking information with a third-party database. In addition to adding the padlock in the URL bar of the browser, the “S” part of HTTPS, this adds the company’s name in green in the browser URL bar.

        Can you tell the difference?

        SSL.jpg

        Clearly, the last URL is an EV certificate. The first is the DV certificate and the second is an OV certificate, which both look identical to each other.

        What can people do to stay safe?

        Now knowing what a SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, how can users reduce the risk of shopping or performing other sensitive transactions online?

        1. Be aware! Just because a website has the padlock or “https” next to a URL doesn’t make it safe for financial transactions. Users have learned to look for those two things before conducting a transaction, which is exactly why cybercriminals are going through the trouble of obtaining SSL certificates in the first place – to look like a legitimate site.
        2. Know how to look for the type of SSL certificate a website has. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers do not distinguish a DV certificate from an OV certificate, however. To make it easy to tell the difference, Norton has created a free tool. You simply paste a URL directly into the tool and it will tell you if the site is DV-, OV- or EV-enabled, with results clearly highlighting how safe a site is.
        3. Only conduct transactions and provide sensitive data to sites that have OV or EV certificates. There’s a time and place for DV certificates, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton tool and the tool reports that the site has a DV certificate, rethink conducting any type of transaction via that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.

        Let’s face it – online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, people will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, consumers are less likely to be duped by phishing websites.

        Readers can find more information on SSL certificates in this recent Symantec whitepaper or by visiting our Trust Services page.

        • Products
        • DigiCert Code Signing
        • Symantec Enterprise Security
        • Thought Leadership
        • Security Community Blog
        • Symantec Website Security
      • Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names.

        Mar 31 2015, 4:43 PM

        by The SSL Store™ 1

        The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.

        Symantec-Free-San

        Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.

        As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.

        Here are the 3 use case for Symantec SSL certificates:

        • When you enroll with Common Name as www.name-of-site.com , Symantec SSL now automatically secures and adds the non-www version of the same domain (name-of-site.com) as a SAN for free.
        • When you enroll the Common Name as name-of-site.com, Symantec will automatically add www.name-of-site.com as a free SAN.
        • For a wildcard certificate: When the enrolled Common Name is *.name-of-site.com, Symantec will automatically add name-of-site.com as a free SAN.

        Details/Examples:
        1) When the Common Name is www.name-of-site.com

        Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) www.domain.com Yes –add domain.com
        1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) www.domain.co.uk Yes – add domain.co.uk
        2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
        Internal host/IP server.local No

        2) When Common Name is domain.com

        Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) domain.com Yes –add www.domain.com
        1-­‐level TLD (such as a gTLD) www.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) domain.co.uk Yes – add www.domain.co.uk
        2-­‐level TLD(such as a ccTLD) www.subdomain.domain.co.uk No
        Internal host/IP server.local No

        3) When Common Name is *.domain.com (Wildcard SSL)

        Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.

        –  It’s free and it does not count as part of the max # of allowed SAN
        –  Of course, it will only be added if TLD is valid.

        TLD Domain Types Example of Domain Names Add base domain as a SAN value?
        1-­‐level TLD (such as a gTLD) *.domain.com Yes –add domain.com
        1-­‐level TLD (such as a gTLD) *.subdomain.domain.com No
        2-­‐level TLD(such as a ccTLD) *.domain.co.uk Yes – add domain.co.uk
        2-­‐level TLD(such as a ccTLD) *.subdomain.domain.co.uk No
        Internal host/IP *.server.local No

        The following SSL products of Symantec are enhanced from this change:

        Symantec Thawte GeoTrust
        Secure Site Pro with EV SSL Web Server with EV True BusinessID with EV
        Secure Site with EV SGC Supercerts True BusinessID
        Secure Site Pro SSL Web Server ———-
        Secure Site Wildcard SSL Web Server Wildcard True BusinessID Wildcard
        Secure Site SSL SSL123 (DV But Allow) ———-

        *GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.

        • Products
        • Voice of the Customer
        • Symantec Website Security
        • DigiCert Code Signing
        • About Symantec SSL Symantec Web Security
        • Web Security.cloud
        • Security Community Blog
      • Bridging the Gap between IT and the Business with Next Generation Cloud Security

        Mar 18 2015, 11:16 AM

        by Mike Smart 0

        To those of us that have been brought up in the world of IT, there is nothing scarier than users and lines of business choosing and deploying their own IT.  We’ve labeled it ‘Shadow IT’ because it’s technology that is used in the dark, without the knowledge of the IT Department.

        But actually, to the user or the line of business, it’s just innovation. The typically risk-averse IT departments are all about mitigating risk; after all we’ve deployed Anti-Virus, Intrusion Prevention technologies to mitigate the risk of viruses and intrusions. This attitude of preventing risk is making us unpopular and irrelevant to the business, and this is why they often choose to bypass the IT procurement process.

        The fact is, users are more mobile than ever, and are comfortable taking corporate data and storing it on mobile devices or cloud storage applications all in the name of innovation and increased productivity.  Perhaps those of us in IT should find a way to embrace this and at the same time protect the business without imposing impractical policies and process.

        To help you bridge the gap, and allow users and the business to adopt flexible working practices that drive innovation through the adoption of mobility, cloud based systems and infrastructure, Symantec has released Identity: Access Manager.  Symantec™ Identity: Access Manager is a next generation access control platform that offers users and administrators control, convenience, and compliance for cloud-based applications.

        Access manager starts by using Symantec Validation and ID Protection (VIP) and Symantec Managed PKI to bring integrated single sign-on (SSO) and strong authentication to mobile devices. With Access Manager, users can login one-time using a password, PIN, or even a fingerprint to safely access all of their cloud apps and information. This helps secure mobile devices by eliminating bad password practices and gives your users fast, easy access to the resources they need.

        Also, Access Manager provides flexible, easy-to-create connectors and unified identity and context-based access control for virtually any cloud app or service, which means you can enforce your security and compliance policies, log your activities to stay compliant, and ultimately turn those rogue apps into legitimate productivity tools.

        Access Manager is every bit as flexible as it is powerful. You can choose to deploy it on-premise or in the cloud, depending on the needs of your organization. And because Access Manager integrates seamlessly with your existing infrastructure, it reduces complexity by providing a convenient central point for managing all of your different user directories.

        In summary, there are five good reasons to try Symantec Identity: Access Manager in your environment:

        • Ensures control, convenience, and compliance for public and private cloud applications
        • Enhances security with strong authentication and identity/context-based access control
        • Streamlines compliance auditing by consolidating access logs for protected users and applications
        • Boosts users’ productivity with Single Sign-On – one password grants access to all apps
        • Offers flexible deployment options, choose from on-premise or hosted service

        If you want to find out more, visit our home page here:

        • cloud security
        • Security Community Blog
        • User Authentication
        • Web Gateway
        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Identity Access Manager
        • Device Certificate Service
        • Identity and Authentication Services
        • Digital IDs for Secure Email
        • Data Loss Prevention
        • VIP (Validation ID Protection)
        • Web Security.cloud
        • Managed PKI for SSL
      3 pages