Two weeks ago, Worldpay, a major international payment processor, approached Symantec and the CA/Browser Forum with an urgent situation.  A small but still meaningful portion of the payment terminals within their global network can only function using the SHA-1 hashing algorithm.

SHA-1 is an older technology that has been shown to be increasingly vulnerable.  According to the current CA/Browser forum standards, starting Jan 1, 2016 Certificate Authorities are no longer allowed to issue new public SHA-1 certificates (although existing certificates can remain in use until they expire or until browsers and operating systems block them, currently planned for January 1, 2017 by several browsers). 

While Worldpay made considerable efforts to identify all their servers and believed they had obtained all the required certificates last year, some were missed which service roughly 1% of their credit card terminals and ATM machines globally. Due to Worldpay’s large global footprint, that small percentage translates into a number of potentially impacted businesses and end consumers.   

Following Worldpay’s request to the CA/Browser Forum, Symantec followed up with each of the major browsers directly.  After a public discussion on the Mozilla Dev Security Policy list, Mozilla proposed an approach that would enable Worldpay to get the required exception while minimizing the risk associated with additional SHA-1 certificate issuances.

The long-standing concerns about continued use of SHA-1 were reiterated by many as were the practical issues posed by Worldpay. We took this issue very seriously, as we had to weigh the additional risk against the potential negative disruption to Worldpay’s global merchant network and consumers.  After ruling out other possible technical options, we concluded that the approach proposed by Mozilla was the best available option. We issued these exception certificates to Worldpay last week and we will continue to work with them on alternate solutions that will adhere to industry best practices for certificate security, compliance, and management. A key element in our decision to issue these exception certificates was that they will be used only with non-browser clients – allowing the browsers to proceed uninterrupted with their upcoming plans to disable SHA-1 support.

Recognizing today’s complex technical interdependencies, several in the CA/Browser Forum raised the question of how to avoid this type of issue in the future. We are working with Worldpay and other customers to deploy alternate solutions, such as Symantec’s Private CA offering, that will ultimately separate the handling of encryption in credit card terminals, ATMs, cable boxes, and other non-browser clients from that in popular web browsers.

Symantec fully understands and promotes the necessity for adherence to best practices for certificate security management. That said, we also understand that real-world implementation is sometimes more challenging than we might anticipate, and we need to work together to not only create the right incentives for 100% compliance, but also to handle these real-world cases with the right level of consideration and nuance. We believe by collaborating with Mozilla and others, we have found a short-term solution that will enable businesses around the globe to keep functioning while providing some additional time, clearly required, to allow for the technical migration to SHA-2.

As everybody know the top 10 dangerous web app security risks:

1. Injection flaws
2. Cross - site scripting
3. broken authentication and session management
4. insecure direct object reference
5. cross site request forgery
6. security misconfiguration
7. insecure cryptographic storage
8. failure to restrict URL access
9. insufficient transport layer protection
10. Invalidated redirects and forwards

Being an new techie to Symantec and Symantec products, may I know what are Symantec's contributions, updates for these security risks?

May I also ask everyone to kindly share an example of an incident which you may came across in the past, where one of these security risks wasn't detected which ended up in major chaos.

Many thanks

Best regards

Sathya Balakrishnan

Information Security Response Analyst

The world’s most trusted online security brand Symantec has just announced that they will now secure www & non-www domain names with single SSL certificate & it will be considered the same FQDN! This is big news for us and all of our partners and customers.

Finally, all Symantec SSL certificates will now consider the base domain as a free SAN or Subject Alternative Name, which simply means you can secure both versions of your website, www.name-of-site.com and name-of-site.com with single Symantec SSL Certificate. This is any easy thing that will reduce your cost and time to manage multiple certificates for one website.

As the world’s leading brand, Symantec is always thinking about their partners and customers’ well-being and implementing new features like this to provide the best web security solutions on the planet. Symantec SSL certificates secure the majority of websites in the world and boasts the strongest encryption, unparalleled brand recognition, free Norton secured seal, which is just icing on the cake if you ask me.

Here are the 3 use case for Symantec SSL certificates:

Details/Examples:
1) When the Common Name is www.name-of-site.com

Symantec SSL will add the common name’s base domain as a SAN value for all certificates where the common name begins with “www” and does not contain sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

2) When Common Name is domain.com

Symantec SSL certificates automatically add “www” to the common name’s domain as a SAN value for all certificates where the common name is a simple domain name without any sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

3) When Common Name is *.domain.com (Wildcard SSL)

Symantec SSL Certificate automatically add the common name’s base domain as a SAN value for all certificates where the common name is wildcard and does not contain sub-domains.

–  It’s free and it does not count as part of the max # of allowed SAN
–  Of course, it will only be added if TLD is valid.

The following SSL products of Symantec are enhanced from this change:

*GeoTrust already offers domain.com as a free SAN when the common name is www.domain.com, but will now also add www.domain.com as a free SAN when the common name is domain.com.

Google recently announced the https certificate update to its search algorithm, it will directly impact on your website ranking, if your website carry the SSL Certificate then you will get the “Google Ranking” boost up. But think why Google is giving the more important to websites which has an SSL Certificate let me explain you.

An SSL Certificate is create a secure layer between your web browser and visitors’ web browsers, and making important data like banking & personal details in encrypted format. As phishing attacks are increasing nowadays, online security is major concern for the world. Google believes that by penalized the websites which don’t have an SSL Certificate, owners of the websites create the benchmark that show users are more likely to visit a websites which are secure with “https” and by this way people become more aware about online web security and the companies are pushing their website with https certificate.

Any authentic website without an SSL Certificate will see the impact of Google’s update immediately, as they decrease the organic traffic for their website and ranking. This could be disastrous for the online firms who do not upgrade their servers and website with SSL Certificate.

The decrease is to effectively bury potential ‘scam’ websites at the bottom of search results, as Google believe those without SSL certificates are likely to be run by people looking to mine personal data for spam or fraudulent purposes.

As we’ve already explained, a low ranking on Google could sound a death knell for online business, which are looking to attract new customers who search for online services or products. If you’re unsure if you have an SSL certificate or not, go to your webpage and look at the address bar.

If your web address starts with ‘https’ and you can see a padlock symbol in the address bar, like the one above image, then you have an SSL certificate. If you do not see either of these then speak to your web hosts ASAP about upgrading your server as soon as they can.

If you are new and don’t know anything about SSL Certificates, you no need to worry about it. You can easily buy an SSL Certificate by selecting 3 options through “SSL Wizard”.