Blogs

    Publish
     
      • Do you need your own private Certificate Authority?

        Mar 29 2018, 10:28 PM

        by Elliot Samuels 3

        Do you have any intranet sites with a domain name like https://intranet.local? Or a mail server with an address like https://mail? These kind of internal-only domain names are very common but they pose a real problem.

        SSL certificates on an intranet

        Symantec and other Certification Authorities (CAs) and browser vendors, that make up the CA/Browser Forum have decided to stop issuing SSL certificates chained to a public root which cannot be resolved in the context of the public internet.

        This means that domain names need to be globally unique and not just unique on your network. So if you have a .local domain that you use internally, you will soon no longer be able to purchase a validated SSL certificate for this name.

        With the emergence of new gTLDs, such as .london, and the likelihood that many of the very common names used to identify server domains internally will be purchased and used by commercial organisations (names such as .red and .home have already been applied for and more will surely follow and unless you specifically own these gTLDs you will no longer be able to purchase a validated SSL certificate for them).

        Although this will improve security it creates challenges for organisations with servers that use these internal-only domain names or reserved IP addresses.

        Getting ready for the change

        Alternatives include switching to fully-qualified domain names, using self-signed certificates or setting up a private certification authority (CA) to authenticate internal domain names.

        For many companies, this last option – a private CA – is a smart way to get ready for the changeover as it requires the least change to existing systems and the lowest level of risk.

        The Symantec option

        Symantec recently announced its Private Certification Authority solution. It lets you avoid the risks and hidden costs of self-signed certificates and the switching costs of deploying fully-qualified internet domain names across your entire intranet.

        Private CA.png

        Using Symantec’s bulletproof infrastructure, it covers requirements ranging from single-domain intranet SSL certificates, wildcard certificates up to self-signed CAs. It provides a hosted private SSL certificate hierarchy with end-entity certificates specifically built to secure your internal communications.

        Using the Managed PKI for SSL console assists in simplifying SSL management by letting you manage public and private certificates in one control center.  This helps you avoid the risk of unexpected expiries and issue new certificates as required. So if you have internal servers that use deprecated domain names then you need to consider a solution sooner rather than later.

        • Products
        • website security solutions
        • Private CA
        • Certification Authority
        • Symantec SSL
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions
      • New Infographic: Six things that can kill your website and how to stop them.

        Mar 29 2018, 11:06 PM

        by Andrew Horbury 2

        14717-Symantec-UMB-header-660x200.jpg

        Your website is your window on the world – it’s your shop front, your brand on display and a key route to market and perhaps your most essential sales and marketing tool. And as such it critical to your business: and if something bad were to happen then it would be a disaster your shop could be closed, your reputation tarnished and visitors stopped coming. This is why website security is so important.

        We’ve designed this infographic to help educate you and help you understand six threats to your website and what you can do to prevent them.

        1. Website malware

        Web servers can be attacked by malware, compromising legitimate websites and using them to infect visitors is an increasingly popular tactic for online criminals: in 2012, Symantec saw a three-fold increase in this type of web attack[1].

        2. Malvertising

        Criminals can also sneak malware infections onto legitimate ad-funded sites using malicious advertising or ‘malvertising’. Last year, more than 10 billion ad impressions were compromised in this way[2].

        3. Search engine blacklisting

        Google is reported to block 10,000 sites a day[3]. Search engines scan websites for malware and, if they find any on your site, your site could be blacklisted. This means that they stop listing the site, stop sending traffic to it and, depending on a visitor’s browser, they may also display a warning about the infection before the visitor goes to your site, even if they enter the address directly.

        Big names like TechCrunch and the New York Times have been blacklisted because they were found to be inadvertently running infected ads.[4]

        14717-Symantec-UMB-panel-660x270.jpg

        4. Security warnings and expired certificates

        Imagine that you’re a consumer and you’re ready to buy something but as you click on the checkout button, your browser gives you a security warning because of an out of date SSL certificate. The odds that you will complete the transaction are pretty low. Indeed, you’d think twice about coming back to the site in future.

        5. Brand impersonation (phishing)

        Criminals use well-known names and brands to trick people into disclosing confidential information or installing malware. Often, they use fake websites to fool people. A more recent development has been the use of social media to lure people to fake websites where they disclose information, such as social media website passwords, in the hope of some reward such as free vouchers or a free phone.

        6. Customer security concerns

        With so much criminality and so many security concerns, it’s not surprising that people are wary when using websites and look for reassurance that they are safe. Trust marks, such as the Norton™ Secured Seal show people that you take security seriously. They also demonstrate that your site is scanned regularly for malware and other vulnerabilities.

        Choose the right partner

        With so much at stake, it has never been more important to choose a well-known, reputable security partner. Symantec already secures more than one million web servers worldwide[5]. If you’re looking for trust, security and confidence for your website, Symantec is the right partner. Read more in our whitepaper.

        [1] Symantec ISTR 18

        [2] Online Trust Alliance, accessed 12 March 2013, https://otalliance.org/resources/malvertising.html

        [4] ‘Google Flags Ad Network Isocket for Alleged Malware; chrome blocks TechCrunch, Cult of Mac, others (Updated)’, The Next Web, accessed 12 March 2013, http://thenextweb.com/google/2013/01/15/google-flags-ad-network-isocket-for-alleged-malware-chrome-blocks-techcrunch-cult-of-mac-others/

        [5] Includes Symantec subsidiaries, affiliates, and resellers.

        • Products
        • website security solutions
        • Norton Secured Seal
        • SSL
        • @nortonsecured
        • DigiCert Complete Website Security
        • Symantec SSL
        • SSL Certificates
        • Products and Solutions
        • ev ssl certificate
        • Security
      • What you need to know to migrate from 1024-bit to 2048-bit encryption

        Mar 30 2018, 4:23 PM

        by Andrew Horbury 3

        I hope by now that you are aware that the Certificate Authority/Browser Forum has mandated that Certificate Authorities stop supporting 1024-bit key length RSA certificates for both SSL and code signing by the end of this year (2013). To learn more about these changes please read the CA/Browser Forum’s paper on the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates

        What do you need to do?

        Any Symantec customers with certificates expiring this year (2013) will need to renew by generating a Certificate Signing Request (CSR) of 2048 bits or higher. Any Symantec customers with certificates expiring in 2014 or later will need to replace and upgrade all 1024-bit certificates with 2048-bit RSA/DSA or 256-bit ECC certificates by 1st October 2013. All existing 1024-bit certificates will be discontinued industry-wide in the new year (2014). This is in compliance with NIST Special Publication 800-131A you can read more about the changes here

        To make this transition as easy as possible here are a few helpful resources:

        Check your certificate’s encryption strength

        How to generate a new CSR

        We have several tutorials that show you how to generate a CSR:

        You can check and validate your CSR using this tool

        How to Install a Certificate

        We have several tutorials that show you how to install a SSL Certificate:

        If you have a Microsoft IIS 6.0 or 7.0 server running .NET 2.0 or higher, or a Red Hat servers our SSL Assistant will help you automatically generate your new 2048-bit CSR and later install it

        Additional Resources

        FAQ: Ending support for 1024-bit certificates

        Support: Get technical support for 1024-bit transition

        • Products
        • website security solutions
        • Identity and Authentication Services
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • 1024
        • EV SSL
        • SSL Certificates
        • Products and Solutions
      • Avoid Browser Security Error Messages with Real SSL Browser Root Ubiquity

        Mar 29 2018, 10:10 PM

        by Ryan White 0

        Browser root ubiquity is an important requirement when deciding on a Certificate Authority (CA) for your SSL Certificates. Many CAs claim 99% browser ubiquity but this claim does not mean that every certificate will activate without triggering a security warning in a browser. Newer or smaller CAs may not have had their roots included in the root store for some browsers This is especially an issue for older browsers. VeriSign SSL does not have this issue. All browser manufacturers certainly remember to add VeriSign roots to their root store when new versions of that browser are released. This is not the case, however, for every SSL Certificate vendor out there. In the past, some CA roots have been left out when a new browser version was released. If a CA's roots are not included in a browser's root store, unsightly error messages can occur -- messages that can motivate users to abandon that session. This leads to lost opportunities for sales and creates dissatisfied customers who may or may not be lost forever. If you'd like to learn more about how trusted root stores work, see here. Today, a prominent company experienced this type of error on their web site. It happened after they received an SSL Certificate for one of their sites signed by a CA other than VeriSign (we don't like to name names, so we won't in this post). For this site, if a user visited the site on older versions of certain browsers, namely IE6 which still enjoys nearly 11% of worldwide browser market share, they would receive an error message indicating that the certificate was not trusted. Think about that. More than 1 in 10 visitors to this site were being shown a message that told them not to trust the site they were on. And all because the CA who signed that certificate (and who claims 99.3% browser ubiquity on their web site) didn't have their roots in the older browser. We all have to justify cost as we make our decisions in IT. Sometimes, site owners will get the impression that SSL is SSL and if I can save a few bucks, why shouldn't I? Browser root ubiquity is one of the many reasons why VeriSign SSL Certificates are not the same as all other certificates out there. The list of reasons why is in fact quite long, but we'll continue touching on that later...

        • Products
        • Code Signing
        • website security solutions
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions
      • FREE TRIALS - EV & SSL Certificates

        Mar 29 2018, 10:41 PM

        by Reshma Kumar 0

        Free trials of all VeriSign Secure Sockets Layer (SSL) Certificates, including the industry's first-ever free trial of fully functional Extended Validation (EV) SSL, is now available starting today! Now, website owners and operators can get a 30-day free trial of any flavor of VeriSign SSL certificates on their live websites without any obligation to buy. And, websites that don't require SSL encryption can take advantage of a 60-day free trial of the VeriSign Trust Seal. Cool!

        • Products
        • News
        • SSL
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions
        • ev ssl certificates
        • extended validation
        • symantec
      • Free trial certificates now available on trusted roots

        Mar 29 2018, 10:39 PM

        by Tim Callan 0

        I'm very pleased to announce that yesterday evening we went live with an important new development in the SSL Certificate industry and a major milestone in the history of the technology. Symantec is now offering full-functioing free trial versions of our SSL Certificates on trusted roots. For many years we've offered a free test certificate version that came with an untrusted root. These certificates are useful for developers who are creating applications, but they don't serve the needs of everyone who would like an SSL trial version. Our new trial versions have trusted roots, which means you can actually stage them in the exact environment you want to run and expect all functionality to work just as they will in final production. But it gets even better. You can put one of our 30-day free trial SSL Certificates onto your production environment, and then after you've satisfied yourself that the certificate is meeting your expectations, you can simply sign up for the service and the existing certificate will continue to function for the next year. That means server administrators don't even have to go back to reinstall production certificates. Just keep the certs you already have in place, and they simply work. Nothing could be easier. How else can you take advantage of our new free trials? As you may know, we've asked our customers what effect they've seen on sales or completed transactions based on including the VeriSign seal or Extended Validation SSL's green address bar on their sites. We've heard from dozens of businesses that have explicitly measured these questions and who on the average have seen a 24% increase in completed transactions due to the VeriSign seal and a 17.8% increase due to the EV SSL green address bar. Nonetheless, I personally have spoken with online businesses on many occasions that would prefer to measure the upside for themselves. Well, now you can. Get a VeriSign SSL Certificate on free trial and test out the seal for yourself. Get an EV cert on free trial and test out the green address bar for yourself. We also released a free trial version of our standalone VeriSign seal. Online businesses that don't need SSL but still want to demonstrate their credibility as genuine, malware-free sites can try out a VeriSign Trust Seal for free as well. And if you don't know what you need, we have a handy comparison page where you can look at all three free trial products side by side to find the right one for you.

        • Products
        • Code Signing
        • website security solutions
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions
      • Trade names in Extended Validation SSL Certificates

        Mar 30 2018, 4:02 PM

        by Tim Callan 0

        As I discuss EV SSL with a variety of online businesses, one question I get a lot is about the name that appears adjacent to the address bar in compatible browsers. The question goes something like this, "We do business under the well-known brand of HipCoolStuff, but our company is actually called Old Stodgy Holding Corporation. We don't want the Old Stodgy name on our Web site. Nobody knows us by that name, and it's not the brand identity we choose to present to the public. What can we do about that?" The answer is that you're allowed to use any legal trade name that you possess in that address bar. A business may obtain EV certificates under an organization name that is a legally registered trade name of the organization in question (referred to in the EV guidelines as "Assumed Name"). VeriSign or the other CA must authenticate the legal status of that trade name as a valid name registered to the Organization before we are allowed to issue the certificate. Then when the certificate appears on the site, you will see the trade name first and then a parenthetical note with the legal name of the organization. For example, HSBC also owns the first direct Internet bank. On the first direct site<, the organization name is not "HSBC Holdings." Rather it is "first direct Bank (HSBC Holdings plc)." In my experience organizations are pretty buttoned up on trade names. The risks involved with building a brand on what is not a legal trade name are pretty unacceptable, and I don't recall ever having bumped into a company that got that one wrong. So if there's a name that you're trading under as your main brand, I expect you'll be allowed to put it in your EV SSL Certificates. If your company has several or many of these trade names, you can hold active certificates under more than one trade name concurrently (although each certificate will be limited to a single trade name for its duration, of course).

        • Extended Validation SSL
        • Products
        • Code Signing
        • website security solutions
        • DigiCert Code Signing
        • DigiCert SSL TLS Certificates
        • SSL Certificates
        • Products and Solutions