Two weeks ago, Worldpay, a major international payment processor, approached Symantec and the CA/Browser Forum with an urgent situation. A small but still meaningful portion of the payment terminals within their global network can only function using the SHA-1 hashing algorithm.
SHA-1 is an older technology that has been shown to be increasingly vulnerable. According to the current CA/Browser forum standards, starting Jan 1, 2016 Certificate Authorities are no longer allowed to issue new public SHA-1 certificates (although existing certificates can remain in use until they expire or until browsers and operating systems block them, currently planned for January 1, 2017 by several browsers).
While Worldpay made considerable efforts to identify all their servers and believed they had obtained all the required certificates last year, some were missed which service roughly 1% of their credit card terminals and ATM machines globally. Due to Worldpay’s large global footprint, that small percentage translates into a number of potentially impacted businesses and end consumers.
Following Worldpay’s request to the CA/Browser Forum, Symantec followed up with each of the major browsers directly. After a public discussion on the Mozilla Dev Security Policy list, Mozilla proposed an approach that would enable Worldpay to get the required exception while minimizing the risk associated with additional SHA-1 certificate issuances.
The long-standing concerns about continued use of SHA-1 were reiterated by many as were the practical issues posed by Worldpay. We took this issue very seriously, as we had to weigh the additional risk against the potential negative disruption to Worldpay’s global merchant network and consumers. After ruling out other possible technical options, we concluded that the approach proposed by Mozilla was the best available option. We issued these exception certificates to Worldpay last week and we will continue to work with them on alternate solutions that will adhere to industry best practices for certificate security, compliance, and management. A key element in our decision to issue these exception certificates was that they will be used only with non-browser clients – allowing the browsers to proceed uninterrupted with their upcoming plans to disable SHA-1 support.
Recognizing today’s complex technical interdependencies, several in the CA/Browser Forum raised the question of how to avoid this type of issue in the future. We are working with Worldpay and other customers to deploy alternate solutions, such as Symantec’s Private CA offering, that will ultimately separate the handling of encryption in credit card terminals, ATMs, cable boxes, and other non-browser clients from that in popular web browsers.
Symantec fully understands and promotes the necessity for adherence to best practices for certificate security management. That said, we also understand that real-world implementation is sometimes more challenging than we might anticipate, and we need to work together to not only create the right incentives for 100% compliance, but also to handle these real-world cases with the right level of consideration and nuance. We believe by collaborating with Mozilla and others, we have found a short-term solution that will enable businesses around the globe to keep functioning while providing some additional time, clearly required, to allow for the technical migration to SHA-2.
As everybody know the top 10 dangerous web app security risks:
Injection flaws
Cross - site scripting
broken authentication and session management
insecure direct object reference
cross site request forgery
security misconfiguration
insecure cryptographic storage
failure to restrict URL access
insufficient transport layer protection
Invalidated redirects and forwards
Being an new techie to Symantec and Symantec products, may I know what are Symantec's contributions, updates for these security risks?
May I also ask everyone to kindly share an example of an incident which you may came across in the past, where one of these security risks wasn't detected which ended up in major chaos.
The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.
Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.
As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.
Here are the 3 use case for Symantec SSL certificates:
When you enroll with Common Name as www.name-of-site.com , Symantec SSL now automatically secures and adds the non-www version of the same domain (name-of-site.com) as a SAN for free.
When you enroll the Common Name as name-of-site.com, Symantec will automatically add www.name-of-site.com as a free SAN.
For a wildcard certificate: When the enrolled Common Name is *.name-of-site.com, Symantec will automatically add name-of-site.com as a free SAN.
Details/Examples: 1) When the Common Name is www.name-of-site.com
Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN – Of course, it will only be added if TLD is valid.
TLD Domain Types
Example of Domain Names
Add base domain as a SAN value?
1-‐level TLD (such as a gTLD)
www.domain.com
Yes –add domain.com
1-‐level TLD (such as a gTLD)
www.subdomain.domain.com
No
2-‐level TLD(such as a ccTLD)
www.domain.co.uk
Yes – add domain.co.uk
2-‐level TLD(such as a ccTLD)
www.subdomain.domain.co.uk
No
Internal host/IP
server.local
No
2) When Common Name is domain.com
Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN – Of course, it will only be added if TLD is valid.
TLD Domain Types
Example of Domain Names
Add base domain as a SAN value?
1-‐level TLD (such as a gTLD)
domain.com
Yes –add www.domain.com
1-‐level TLD (such as a gTLD)
www.subdomain.domain.com
No
2-‐level TLD(such as a ccTLD)
domain.co.uk
Yes – add www.domain.co.uk
2-‐level TLD(such as a ccTLD)
www.subdomain.domain.co.uk
No
Internal host/IP
server.local
No
3) When Common Name is *.domain.com (Wildcard SSL)
Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN – Of course, it will only be added if TLD is valid.
TLD Domain Types
Example of Domain Names
Add base domain as a SAN value?
1-‐level TLD (such as a gTLD)
*.domain.com
Yes –add domain.com
1-‐level TLD (such as a gTLD)
*.subdomain.domain.com
No
2-‐level TLD(such as a ccTLD)
*.domain.co.uk
Yes – add domain.co.uk
2-‐level TLD(such as a ccTLD)
*.subdomain.domain.co.uk
No
Internal host/IP
*.server.local
No
The following SSL products of Symantec are enhanced from this change:
Symantec
Thawte
GeoTrust
Secure Site Pro with EV
SSL Web Server with EV
True BusinessID with EV
Secure Site with EV
SGC Supercerts
True BusinessID
Secure Site Pro
SSL Web Server
———-
Secure Site Wildcard
SSL Web Server Wildcard
True BusinessID Wildcard
Secure Site SSL
SSL123 (DV But Allow)
———-
*GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.
Google recently announced the https certificate update to its search algorithm, it will directly impact on your website ranking, if your website carry the SSL Certificate then you will get the “Google Ranking” boost up. But think why Google is giving the more important to websites which has an SSL Certificate let me explain you.
An SSL Certificate is create a secure layer between your web browser and visitors’ web browsers, and making important data like banking & personal details in encrypted format. As phishing attacks are increasing nowadays, online security is major concern for the world. Google believes that by penalized the websites which don’t have an SSL Certificate, owners of the websites create the benchmark that show users are more likely to visit a websites which are secure with “https” and by this way people become more aware about online web security and the companies are pushing their website with https certificate.
Any authentic website without an SSL Certificate will see the impact of Google’s update immediately, as they decrease the organic traffic for their website and ranking. This could be disastrous for the online firms who do not upgrade their servers and website with SSL Certificate.
The decrease is to effectively bury potential ‘scam’ websites at the bottom of search results, as Google believe those without SSL certificates are likely to be run by people looking to mine personal data for spam or fraudulent purposes.
As we’ve already explained, a low ranking on Google could sound a death knell for online business, which are looking to attract new customers who search for online services or products. If you’re unsure if you have an SSL certificate or not, go to your webpage and look at the address bar.
If your web address starts with ‘https’ and you can see a padlock symbol in the address bar, like the one above image, then you have an SSL certificate. If you do not see either of these then speak to your web hosts ASAP about upgrading your server as soon as they can.
If you are new and don’t know anything about SSL Certificates, you no need to worry about it. You can easily buy an SSL Certificate by selecting 3 options through “SSL Wizard”.
Blogs
The Challenges of Transitioning Non-Browser Applications to SHA-2
Mar 01 2016, 8:00 PM
by Dean Coclin 0
Two weeks ago, Worldpay, a major international payment processor, approached Symantec and the CA/Browser Forum with an urgent situation. A small but still meaningful portion of the payment terminals within their global network can only function using the SHA-1 hashing algorithm.
SHA-1 is an older technology that has been shown to be increasingly vulnerable. According to the current CA/Browser forum standards, starting Jan 1, 2016 Certificate Authorities are no longer allowed to issue new public SHA-1 certificates (although existing certificates can remain in use until they expire or until browsers and operating systems block them, currently planned for January 1, 2017 by several browsers).
While Worldpay made considerable efforts to identify all their servers and believed they had obtained all the required certificates last year, some were missed which service roughly 1% of their credit card terminals and ATM machines globally. Due to Worldpay’s large global footprint, that small percentage translates into a number of potentially impacted businesses and end consumers.
Following Worldpay’s request to the CA/Browser Forum, Symantec followed up with each of the major browsers directly. After a public discussion on the Mozilla Dev Security Policy list, Mozilla proposed an approach that would enable Worldpay to get the required exception while minimizing the risk associated with additional SHA-1 certificate issuances.
The long-standing concerns about continued use of SHA-1 were reiterated by many as were the practical issues posed by Worldpay. We took this issue very seriously, as we had to weigh the additional risk against the potential negative disruption to Worldpay’s global merchant network and consumers. After ruling out other possible technical options, we concluded that the approach proposed by Mozilla was the best available option. We issued these exception certificates to Worldpay last week and we will continue to work with them on alternate solutions that will adhere to industry best practices for certificate security, compliance, and management. A key element in our decision to issue these exception certificates was that they will be used only with non-browser clients – allowing the browsers to proceed uninterrupted with their upcoming plans to disable SHA-1 support.
Recognizing today’s complex technical interdependencies, several in the CA/Browser Forum raised the question of how to avoid this type of issue in the future. We are working with Worldpay and other customers to deploy alternate solutions, such as Symantec’s Private CA offering, that will ultimately separate the handling of encryption in credit card terminals, ATMs, cable boxes, and other non-browser clients from that in popular web browsers.
Symantec fully understands and promotes the necessity for adherence to best practices for certificate security management. That said, we also understand that real-world implementation is sometimes more challenging than we might anticipate, and we need to work together to not only create the right incentives for 100% compliance, but also to handle these real-world cases with the right level of consideration and nuance. We believe by collaborating with Mozilla and others, we have found a short-term solution that will enable businesses around the globe to keep functioning while providing some additional time, clearly required, to allow for the technical migration to SHA-2.
Most Dangerous Web Application Security Risks
Sep 02 2015, 4:01 AM
by Sathya Narayanan Balakrishnan 1
As everybody know the top 10 dangerous web app security risks:
Being an new techie to Symantec and Symantec products, may I know what are Symantec's contributions, updates for these security risks?
May I also ask everyone to kindly share an example of an incident which you may came across in the past, where one of these security risks wasn't detected which ended up in major chaos.
Many thanks
Best regards
Sathya Balakrishnan
Information Security Response Analyst
Symantec SSL Certificates Now offer a FREE SAN for Base Domain Names.
Mar 31 2015, 4:43 PM
by The SSL Store™ 1
The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.
Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.
As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.
Here are the 3 use case for Symantec SSL certificates:
Details/Examples:
1) When the Common Name is www.name-of-site.com
Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN
– Of course, it will only be added if TLD is valid.
2) When Common Name is domain.com
Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN
– Of course, it will only be added if TLD is valid.
3) When Common Name is *.domain.com (Wildcard SSL)
Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.
– It’s free and it does not count as part of the max # of allowed SAN
– Of course, it will only be added if TLD is valid.
The following SSL products of Symantec are enhanced from this change:
*GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.
Avoid SSL Certificate and Clients May Avoid You
Oct 14 2014, 8:12 AM
by The SSL Store™ 0
Google recently announced the https certificate update to its search algorithm, it will directly impact on your website ranking, if your website carry the SSL Certificate then you will get the “Google Ranking” boost up. But think why Google is giving the more important to websites which has an SSL Certificate let me explain you.
An SSL Certificate is create a secure layer between your web browser and visitors’ web browsers, and making important data like banking & personal details in encrypted format. As phishing attacks are increasing nowadays, online security is major concern for the world. Google believes that by penalized the websites which don’t have an SSL Certificate, owners of the websites create the benchmark that show users are more likely to visit a websites which are secure with “https” and by this way people become more aware about online web security and the companies are pushing their website with https certificate.
Any authentic website without an SSL Certificate will see the impact of Google’s update immediately, as they decrease the organic traffic for their website and ranking. This could be disastrous for the online firms who do not upgrade their servers and website with SSL Certificate.
The decrease is to effectively bury potential ‘scam’ websites at the bottom of search results, as Google believe those without SSL certificates are likely to be run by people looking to mine personal data for spam or fraudulent purposes.
As we’ve already explained, a low ranking on Google could sound a death knell for online business, which are looking to attract new customers who search for online services or products. If you’re unsure if you have an SSL certificate or not, go to your webpage and look at the address bar.
If your web address starts with ‘https’ and you can see a padlock symbol in the address bar, like the one above image, then you have an SSL certificate. If you do not see either of these then speak to your web hosts ASAP about upgrading your server as soon as they can.
If you are new and don’t know anything about SSL Certificates, you no need to worry about it. You can easily buy an SSL Certificate by selecting 3 options through “SSL Wizard”.