Google Chrome Will Mark HTTP Sites ‘Not Secure’ from July 2018 with the Release of Chrome 68

New Highlights:

• Google Chrome will start labelling all Non HTTP sites as “Not Secure”
• The change will come with the Chrome 68 release in July 2018
• Google’s Lighthouse tool, an open source app, helps developers run audits on web pages

For the past several years, Google strongly advising webmasters (sites) to adopting HTTPS encryption. Google said that within the last year, they helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”.

As a part of this plan Google first rolled out with Chrome 58 when Google marked all HTTP pages as “Not Secure” if the web pages having password or payment credit card fields and the second stage with Chrome 62 version when Google marked all HTTP website pages opened in a private browsing windows as “Not Secure” and beginning in July 2018 with Chrome 68 release will mark all HTTP sites as “not secure” is the final stage.

In a recent announcement, Google has confirmed that when users visit every HTTP websites on Chrome they will be flagged as “Not Secure” from July 2018 with the release of Chrome 68.

In Chrome 68, the omnibox will display “Not secure” for all HTTP pages.

Developers have clearly heard the call, according to Google, the results of the efforts have been:

• Over 68% of Chrome traffic on both Android and Windows is now protected
• Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
• 81 of the top 100 sites on the web use HTTPS by default

So it’s clear that HTTPS is the wave of the future when it comes to internet security.

Google Lighthouse Tool

Google itself has a Lighthouse tool is an open-source, automated tool for improving the quality of web pages. Google encourage websites to use HTTPS with its automated Lighthouse developer tool and other set-up guides to transition over.

Take a Strategic Decision to Buying a Right SSL Certificate

Focus on choosing the right SSL Certificate for your business need. Before buying an SSL Certificate, you need to understand specific requirements to secure websites such as to protect Single Domain, Multiple Sub-Domains or Different websites. Move your website from HTTP to HTTPS with an SSL Certificate today!
If you want to know more how to protect your website and safeguard customer’s data? Please complete the form below to get more assistance from an Acmetek trusted security specialist advisor today!

After your certificate has been issued like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. This is because your private key will always be left on the server system where the CSR was originally created. It will be either in the application or left somewhere on a directory and path you choose when you generated the CSR. Your SSL certificate will not work without this private key file.

If you do not see your server listed perform a search, or you may have to contact your server vender or hosting provider for best practices on how to install a SSL certificate on your system.

Check your SSL installation with the Symantec Certificate Checker 

Instructions for server vendors:

A:
Apache (OpenSSL/Nginx, ModSSL)

Apple Mac OS x 10.6
Apple Mac OS x 10.11

Aruba ClearPass

B:
Barracuda SSL VPN

C:
Citrix Netscaler

Cisco ASA 5510
Cisco Wireless LAN Controller

cPanel

F:
F5 BIG IP
F5 FirePass

FortiGate

I:
IBM AS/400 iSeries
IBM WebSphere

J:
Juniper

JBoss http

JBoss Tomcat using x509 
JBoss Tomcat pkcs7

K:
Kemp 6.x

M:
Microsoft Azure

Microsoft Active Directory LDAP

Microsoft Exchange 2010
Microsoft Exchange 2013

Microsoft Forefront

Microsoft Sever 2008 – IIS 7 & 7.5
Microsoft Server 2012 – IIS 8 & 8.5

Microsoft Lync

Microsoft Office 365

Microsoft Sharepoint 2010
Microsoft Sharepoint 2013

O:
Oracle Wallet Manager

P:
Plesk 11.x
Plesk 12

S:
SonicWall

SAP Web Application Server

SRT Titain FTP

T:
Tomcat pkcs7 
Tomcat x509

W:
Web Host Manager (WHM)

Z:
Zimbra

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

There are many SSL checkers out there which are used to check the validity and installation of a websites SSL Certificate. Majority of these checkers may vary on the information that they display or may have limitations, as they only perform their function as programmed. Aside from using an SSL Checker tool there is always the manual way of using your browser to check proper installations.

If you would like to learn how to check using a browser SSLSupportDesk features such an article Troubleshooting: Checking SSL installation with a browser.

Some SSL Checkers are extremely advanced and will not only check the validity of a SSL certificate, but can also point out flaws in a server’s configuration or software. 

Qualys SSL Labs has an SSL Server Test (SSL Checker) tool that is well executed and implemented.

Please follow these steps to test your installation:

1. Access the Qualys SSL Labs Server Test checker, click here
2. Enter the URL/Domain name of the server that you wish to check & click Submit

Troubleshooting Unresolved https address:

SSL checkers will only work if your website is publicly accessible from outside your network. More than likely if your website is internal you will not get any results.

Example: We used a domain name that does not exist in the outside work and get this result.

How to read Qualys SSL Server Test Checker:

Using sslsupportdesk.com which is accessible to the open internet lets see how Qualys SSL Server Test Checker works.

With a successful installation we should see the following quality of the server system:

Summary:

1. Overall Rating: Based on the quality of the server system running the Domain Name submitted. Factors that attribute to this Overall Rating are from combining the categories of Certificate, Protocol Support, Key Exchange, Cipher Strength.
2. Certificate: Factors to this Quality are…
   1. Domain name mismatch.
   2. Certificate not yet valid.
   3. Certificate expired.
   4. Use of a self-signed certificate.
   5. Use of a certificate that is not trusted.
   6. Use of a revoked certificate.
3. Protocol Support: The encryption protocols that are available to clients visiting this web server.
4. Key Exchange: The distribution of the public and private keys and their strength when setting up encryption between client and server.
5. Cipher Strength: Ciphers perform the actual encryption/decryption of the key pair running on the server system. Some can be considered weak, others strong.

Troubleshooting:

If there are any warnings or concerns the Qualys SSL Server Test Checker finds will be denoted below the Summary.

Red = Very bad
Yellow = Advisories or Industry changes that may turn into red over time.

More information regarding the checkers findings can usually be found by clicking MORE INFO.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.

Authentication:

Server Key and Certificate # 1: States the information pertaining to the SSL certificate running on the Server System in Https:
Additional Certificates (If Supplied): Lists any additional Certificates that are also radiating off the server system. Usually these are Intermediate CA certificates.
Certification Paths: Shows the entire Chain Of Trust. Usually SSL Certificate > Intermediate >  Root.

Note: The last certificate in this chain will be the root certificate. At times a yellow “Sent by Server” may appear on the Root. This only means that when a SSL connection is being made to the server that the server is presenting and forcing a root certificate to the client. Usually the Root certificate should only rest in the client’s browser Trust Store. Don’t be alarmed as some servers have to present this due to their programming. Although proper practice dictates that they shouldn’t.

Configuration:

Protocols: The encryption protocols that are available to clients visiting this web server.
Cipher Suites: The child protocols the perform the actual encryption session.
Handshake Simulation: Mimics the different browsers used to connect to the server.
Off Note: Most modern browser systems will automatically choose the best most secure connection the browser is capable of regardless of how the server is configured.
Protocol Details: More information regarding how the server system is handling protocols.
Miscellaneous: Server type running Domain Name, Timestamp check occurred, etc.

Qualys SSL Labs Server Test Checker tool is operated and managed by Qualys. This SSL Checker is one of many publicly available on the internet that can help you diagnose problems with your SSL certificate installation, or other errors that are associated with your server system.

Note:  You may need to contact your server hosting provider or server vendor in order to perform updates, how to turn off certain protocols, or set the proper configurations needed for a good rating.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Google’s Certificate Transparency is an open source project that aims to strengthen the SSL/TLS certificate system, which is the main cryptographic security system that underlies all HTTPS secure connections. It is a extra tier of certificate security that forms a Security Triad to ensure that clients navigating the internet are safe and secure in regards to web security.

What Is Certificate Transparency (CT)?

As the name implies, CT allows people on the internet to look at all certificates that have been issued by a Certificate Authority (CA). This is achieved using centralized logging to a collection of servers. These log servers talk to one another, to ensure consistency and reveal any unusual activity. Anyone can query the log servers to find out details on certificates that have been issued to anyone, by anyone. For example, a company could check to see what certificates have been created using its domains and details.

In a nutshell, Certificate Transparency is a 3rd party auditing log required by Google/Chrome to display certificate ownership information.  The information is publicly audible.  Once the CT logging is enabled, that information will be public and can not be deleted from the log.  The following information appears in the CT log:

• Common Name
• Subject alternative names
• Organization name
• CA (issuer) name
• Serial number
• Validity period
• Extensions
• Certificate chain

*Note: that much of this information is already publicly available for external sites.

The Security Triad:

If you haven’t noticed over the years all client web browsers have been implementing various security notifications regarding the safety of websites. Browser have become an Auditor of website security  and show notifications to clients when web-surfing.

These notifications will typically show green bars or  padlocks if everything is secure and safe.  Yellow exclamation marks to make client awareness that the website is not as secure as it can be. Lastly red strikes if the browser deems something that is considered unsafe for users. The notifications will vary from browser to browser, but in the end these are all just disclaimers to inform web visitors on the safety of the website. Anything can contribute to these browser notifications including outdated server software configurations, Mixed or Insecure Content, or the certificate running on the website.

Now with Certificate Transparency there is a Web Security Triad. Security is not just limited to the Certificate Authority (Monitor) and Client browser (Auditor) like it used to be. Here’s what’s going on now.

• CT is a middle logging system that holds a time-stamp of logs of the certificates that have been issued by the various CA’s.
• The CA informs the Log Server of all certificates that get issued.
• The CA Monitor and Browser Auditor work in conjunction with the CT Log Server to Monitor, and Audit logs for suspicious certs, and verify that all the certs issued are visible for the public community.
• The Client browser Auditor verifies that the logs are behaving properly and informs  clients of anything suspicious that has happened in regards to certificate security.

CT is something that happens behind the scenes and is pretty much unnoticeable to browser clients navigating the web, but with its implementation there is a faster response and a extra tier to client safety with navigating the web.

For more information on Certificate Transparency feel free to visit Https://www.certificate-transparency.org

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Server Gated Cryptography (SCG) certificates are used for maintaining a 128 bit connection irrespective of browser age. They are designed to step up the encryption to 128 bit. With the new norm of SHA-256 for all SSL certificates.

The thawte product thawte SGC SuperCert  will no longer be compatible with SHA-256. This is the reason why  thawte announced they will discontinue their SGC SuperCert product in the 2nd Qtr of 2015.

Acmetek recommends the SSL Web Server with EV as a suitable replacement certificate. Added benefit with this certificate is it also offers Green Bar at a similar cost.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Overview

The security environment is constantly changing as hackers become more sophis­ticated and your customers increasingly reach for mobile or tablet devices to carry out transactions online. Keeping up with the developments in malware and con­tinuing to provide a secure and trustworthy experience for your customers is vital.

As a leader in SSL security, Symantec is always working on new solutions that help your business to anticipate and meet increasing security demands, and provide a safe environment for your customers.

Harnessing the latest technology, Symantec SSL certification with ECC is an easy way for your business to address the impending move to 2048-bit encryption and benefit from the explosion in mobile device and tablet use. ECC is a U.S. government-approved and National Security Agency-endorsed encryption method that offers your business enhanced security and better performance than current encryption.

Better Performance, Stronger Security with the ECC Algorithm

Elliptic Curve Cryptography (ECC) creates encryption keys based on the idea of using points on a curve to define the public/private key pair. It is difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than RSA-based encryption.

Key Benefits

• Better security — ECC provides stronger protection against attacks than cur­rent encryption methods. The ECC algorithm relies on a mathematical problem that is more difficult for hackers to attack than the current encryption, making your websites and infrastructure more secure than with traditional methods.
• Better performance — ECC requires a shorter key length to provide a superior level of security, For instance, a 256-bit ECC key provides the same level of protection as a 3072-bit RSA key. The result? You get the security you need without sacrificing performance.
• Investment protection — ECC helps protect your infrastructure investment by providing increased security that can handle the explosion in mobile device connections. ECC key lengths increase at a slower rate than other encryption method keys, potentially extending the life of your existing hardware and giving you a greater return on your investment.
• Mobile advantage — ECC’s smaller key length means smaller certificates that consume less bandwidth. As more of your customers move to smaller devices for their online transactions, ECC offers a better customer experience.

Compatibility

We know that keeping up with security requirements, compliance and threats can be difficult, and that’s why Symantec creates solutions that will make protecting your business easier.

Symantec’s ECC roots have been available in the top three browsers since 2007, so Symantec’s ECC certificates will work in your existing infrastructure as long as modern browsers are used.

Why Acmetek?

Acmetek is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Our certificates include certificate management, vulnerability assessment, malware scanning, and life time support for the certificate. You also get the Norton Secured Seal and Symantec Seal-in-Search to assure customers that they are safe when they search, browse or buy on your websites.

Rest easy knowing your website is protected by the #1 choice for SSL security. Symantec SSL Certificates secure more than one million web servers worldwide— more than any other Certificate Authority. In fact, 97 of the world’s 100 largest SSL-using banks and 81% of the 500 biggest e-commerce sites in North America use SSL Certificates from Symantec.

How to get SSL Certificates with ECC from Acmetek?

Symantec Premium SSL Certificates, Secure Site Pro and Secure Site Pro with EV, now give you the option of using the high security ECC algorithm (included free) to deliver stronger security than standard encryption methods while improving performance.

Visit the Symantec Secure Site Pro pages to sign up for a certificate or renew your current subscription.
or
Become a Partner and create additional revenue stream while we do the heavy lifting for you.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

The FREAK Vulnerability, What is happening?

A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note: That this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed.

Why should a Acmetek Customer or Partner care?

Customer webservers may be vulnerable to this issue. Organizations should evaluate their web servers to determine if they are vulnerable. Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable.

What Acmetek Customers Must Do?

It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSLdocumentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

EXP-EDH-RSA-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

NULL-SHA

NULL-MD5

In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from

http://support.microsoft.com/kb/245030:

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

NULL

We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

Frequently Asked Questions:

Q: How critical is this vulnerability?

A: This vulnerability appears to be as slightly less critical than POODLE. Although an attack is difficult to carry out it is important for people prioritize this patch.

Q: What should customers do?

A: Customers should remove the above listed affected ciphers (if they are supported by their web server) and restart their web server.

Q: Do SSL certificates have to be replaced?

A: No, this is not required.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange.

The OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection.

OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.

OpenSSL 1.0.2 users should upgrade to 1.0.2f as stated in the security advisory. That download patch fix can be found here.

Fortunately Diffie Hellman key exchange is not met by the mainstream industry, and more than likely users are not using DSA Diffie Hellman ephemeral keys in order to perform their encryption. But the first line of defense to keep hackers at bay is to update their systems and not become stagnant in security.

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.