Author: admin

thawte SGC SuperCert SSL Deprecation

Server Gated Cryptography (SCG) certificates are used for maintaining a 128 bit connection irrespective of browser age. They are designed to step up the encryption to 128 bit. With the new norm of SHA-256 for all SSL certificates.

The thawte product thawte SGC SuperCert  will no longer be compatible with SHA-256. This is the reason why  thawte announced they will discontinue their SGC SuperCert product in the 2nd Qtr of 2015.

Acmetek recommends the SSL Web Server with EV as a suitable replacement certificate. Added benefit with this certificate is it also offers Green Bar at a similar cost.



About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Symantec SSL Certificates with the ECC Algorithm

Overview

The security environment is constantly changing as hackers become more sophis­ticated and your customers increasingly reach for mobile or tablet devices to carry out transactions online. Keeping up with the developments in malware and con­tinuing to provide a secure and trustworthy experience for your customers is vital.

As a leader in SSL security, Symantec is always working on new solutions that help your business to anticipate and meet increasing security demands, and provide a safe environment for your customers.

Harnessing the latest technology, Symantec SSL certification with ECC is an easy way for your business to address the impending move to 2048-bit encryption and benefit from the explosion in mobile device and tablet use. ECC is a U.S. government-approved and National Security Agency-endorsed encryption method that offers your business enhanced security and better performance than current encryption.

Better Performance, Stronger Security with the ECC Algorithm

Elliptic Curve Cryptography (ECC) creates encryption keys based on the idea of using points on a curve to define the public/private key pair. It is difficult to break using the brute force methods often employed by hackers and offers a faster solution with less computing power than RSA-based encryption.

Key Benefits

  • Better securityECC provides stronger protection against attacks than cur­rent encryption methods. The ECC algorithm relies on a mathematical problem that is more difficult for hackers to attack than the current encryption, making your websites and infrastructure more secure than with traditional methods.
  • Better performanceECC requires a shorter key length to provide a superior level of security, For instance, a 256-bit ECC key provides the same level of protection as a 3072-bit RSA key. The result? You get the security you need without sacrificing performance.
  • Investment protectionECC helps protect your infrastructure investment by providing increased security that can handle the explosion in mobile device connections. ECC key lengths increase at a slower rate than other encryption method keys, potentially extending the life of your existing hardware and giving you a greater return on your investment.
  • Mobile advantageECC’s smaller key length means smaller certificates that consume less bandwidth. As more of your customers move to smaller devices for their online transactions, ECC offers a better customer experience.

ECC KeySizes Vs RSA and DSA

Compatibility

We know that keeping up with security requirements, compliance and threats can be difficult, and that’s why Symantec creates solutions that will make protecting your business easier.

Symantec’s ECC roots have been available in the top three browsers since 2007, so Symantec’s ECC certificates will work in your existing infrastructure as long as modern browsers are used.

Why Acmetek?

Acmetek is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Our certificates include certificate management, vulnerability assessment, malware scanning, and life time support for the certificate. You also get the Norton Secured Seal and Symantec Seal-in-Search to assure customers that they are safe when they search, browse or buy on your websites.

Rest easy knowing your website is protected by the #1 choice for SSL security. Symantec SSL Certificates secure more than one million web servers worldwide— more than any other Certificate Authority. In fact, 97 of the world’s 100 largest SSL-using banks and 81% of the 500 biggest e-commerce sites in North America use SSL Certificates from Symantec.

How to get SSL Certificates with ECC from Acmetek?

Symantec Premium SSL Certificates, Secure Site Pro and Secure Site Pro with EV, now give you the option of using the high security ECC algorithm (included free) to deliver stronger security than standard encryption methods while improving performance.

Visit the Symantec Secure Site Pro pages to sign up for a certificate or renew your current subscription.
or
Become a Partner and create additional revenue stream while we do the heavy lifting for you.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

The FREAK Vulnerability.

The FREAK Vulnerability, What is happening?

A new SSL/TLS vulnerability named “FREAK” was identified by several security researchers. This threat allows an attacker to get between a client and server and view what is intended to be a secure and private communication. The vulnerability is primarily due to a bug in OpenSSL client software, but only exploitable on poorly-configured web servers. Both clients and servers are at risk. Website owners can protect their sites by properly configuring their web servers by removing affected ciphers and restarting their servers. Note: That this vulnerability is not related to SSL certificates. Your existing certificate will continue to work as intended. No certificate replacement is needed.

Why should a Acmetek Customer or Partner care?

Customer webservers may be vulnerable to this issue. Organizations should evaluate their web servers to determine if they are vulnerable. Symantec offers an easy-to-use check in its SSL Toolbox to allow customers to easily verify that their web sites are safe or vulnerable.

What Acmetek Customers Must Do?

It’s relatively easy to determine if a website is vulnerable, and if so, it’s relatively easy to change the configuration to block any possible attacks. Any type of web server (Apache, IIS, nginx, etc.) may be vulnerable if its configuration allows the use of so-called Export Ciphers. In Apache/OpenSSLdocumentation, for example, the names of these ciphers all begin with EXP (from https://httpd.apache.org/docs/2.4/mod/mod_ssl.html):

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

EXP-EDH-RSA-DES-CBC-SHA

EXP-EDH-DSS-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

If a customer’s web server supports these ciphers, the customer must reconfigure the web server by removing these ciphers from the list of supported ciphers, and restart the web server. Although not related to this vulnerability, customers should also disable null ciphers if they are supported, since such ciphers do not provide any encryption of the SSL stream:

NULL-SHA

NULL-MD5

In Windows, the names of export ciphers contain the string “EXPORT”. Here is a list taken from

http://support.microsoft.com/kb/245030:

SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA

SSL_RSA_EXPORT1024_WITH_RC4_56_SHA

SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SSL_RSA_EXPORT_WITH_RC4_40_MD5

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

TLS_RSA_EXPORT_WITH_RC4_40_MD5

NULL

We advise customers to consult their web server documentation to determine how to view the list of supported ciphers, and how to disable certain ciphers.

Frequently Asked Questions:

Q: How critical is this vulnerability?

A: This vulnerability appears to be as slightly less critical than POODLE. Although an attack is difficult to carry out it is important for people prioritize this patch.

Q: What should customers do?

A: Customers should remove the above listed affected ciphers (if they are supported by their web server) and restart their web server.

Q: Do SSL certificates have to be replaced?

A: No, this is not required.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

OpenSSL patch released that fixes High-severity Diffie Hellman bug

OpenSSL has fixed a high-severity vulnerability that made it possible for attackers to obtain the key that decrypts communications secured in HTTPS based on the ephemeral keys, DSA based Diffie Hellman (DH) key exchange.

HackingThe OpenSSL Diffie Hellman issue got assigned CVE-2016-0701 with a severity of High. This vulnerability could allow an attacker to force the peer to perform multiple handshakes using the same private Diffie Hellman key component. Meaning they could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection.

OpenSSL released on 28-Jan-2016 their Security Advisory regarding the fixes on their website OpenSSL.org.

OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.

OpenSSL 1.0.2 users should upgrade to 1.0.2f as stated in the security advisory. That download patch fix can be found here.

Fortunately Diffie Hellman key exchange is not met by the mainstream industry, and more than likely users are not using DSA Diffie Hellman ephemeral keys in order to perform their encryption. But the first line of defense to keep hackers at bay is to update their systems and not become stagnant in security.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

SSLv2 – The “Drown” Attack

Just recently there has been a lot of news regarding a vulnerability with SSLv2 (SSL2.0) and what has been named the Drown Attack. You will see articles saying “Drown Attack effects over 1/3 of the worlds websites, ” “No one is secure on the internet anymore,”  More than a Million sites effected!” etc.. the list goes on and on.

Allow me to calm some fears you may have..img17

Unless your have NOT touched your server system since 2011 then don’t worry. SSLv2 which was created back in 1995 was considered an obsolete protocol back in 2011, and more than likely you are not using it. Because the following…

  • Browsers such as Chrome have by default put a stop to the use of this protocol as default on their browsers since 2011.
  • You would have seen errors within your browser regarding the use of this the SSLv2 protocol running on the website, and would have turned this protocol off already.
  • Every couple of years a Digital Certificate gets updated on server systems that is part of encryption, and during this time you probably used a certificate checker to see if everything is ok. That SSL Checking tool more than likely told you that status of that server system and would have made you aware of SSLv2 being obsolete years ago.
  • If you are PCI compliant then you are not using SSLv2, or any SSL protocol for that matter.

The DROWN stands for Decrypting Rsa with Obsolete and Weakened eNcryption and it allows attackers to break the encryption enabling that hacker  to read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data.

On March 01, 2016, The United States Computer Emergency Readness Team (US-Cert) released this on their website. 

Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. Exploitation of this vulnerability – referred to as DROWN in public reporting – may allow a remote attacker to obtain the private key of a server supporting SSLv2.

US-CERT encourages users and administrators to review Vulnerability Note VU#583776 and the US-CERT OpenSSL Current Activity for additional information and mitigation details.

So this really shouldn’t be news since SSLv2 was considered obsolete back in 2011. It was bound to happen sooner or later.

If you do happen to be effected by SSLv2 or would like to double check Qualys has an amazing SSL checking tool that goes deep into the health of a server system. SSLSupportDesk.com has a great article on how to use and read this checker featured here.  

More information can be found https://drownattack.com/


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

The end-of-life of Symantec Safe Site.

As part of a long-term effort to simplify Symantec’s product range and ensure their offerings are relevant to the latest security needs, Symantec is discontinuing (End of Life) their Symantec Safe Site product as of March 2016.

Symantec Safe Site (formally the VeriSign Trust Seal) is the stand-alone seal product which allows a user to display the seal without having to purchase an SSL certificate.

Note: There will be no impact on the Norton Secured Seal included in SSL certificate products.

Symantec Safe Site End of Life FAQ:

What should I do?
In order to continue displaying the Norton Secured Seal on their website, you will need to purchase one of our Symantec SSL products. Any Symantec Safe Site customer who chooses not to upgrade will lose their existing Symantec Safe Site at the end of their current product’s current term.

Why is Symantec discontinuing Symantec Safe Site?
Symantec want’s to simplify their product range, so they plan to eliminate smaller products that essentially have become redundant. Symantec Safe Site has been marked as a product that is not essential in their range and can be discontinued. Symantec SSL offers the same Norton Secured Seal, plus additional features that more comprehensively protect websites and simultaneously project trust.

Does this affect the seal on any other products?
No, the seal for all other products will still be available. No changes will be made.

What will happen if I don’t want another product?
Customers will not be able to renew their Symantec Safe Site product once their term is complete, so at that time they will no longer have access to the Norton Secured Seal nor Malware Scanning.

We suggest you upgrade to Symantec SSL to continue reaping the benefits you clearly value from the Norton Secured Seal, in addition to the added website security that comes with an SSL certificate.

If you currently have an SSL certificate but are not displaying the Norton Secured Seal visit our SSLSupportDesk article: Norton Secured Seal Installation Instructions


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

Memorandum Requires Secure Connections across Federal Websites

Memorandum Requires Secure Connections across Federal Websites and Web Services.

Signed June 8th 2015 The Executive Office Of The President has enacted memorandum M-15-13. Also known as The HTTPS-Only Standard that requires that all public accessible Federal websites and web services only provide service through a secure connection.

Executive Office SealThis is very important as unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users of unencrypted Federal websites and services. Any data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.

“All browsing activity should be considered private and sensitive.”

Many commercial organizations have adopted HTTPS or implemented HTTPS-only policies to protect visitors to their websites and services. Users of Federal websites and services deserve the same protection, and the Federal Government needs to set a presidence that in this day-and-age Web Security is as important as the air we breathe.

Although the challenges are few there are some considerations and implementations of HTTPS that may have effect on these Federal Government Services.

Challenges and Considerations:

Site Performance: While encryption adds some computational overhead, modern software and hardware can handle this overhead without substantial deleterious impact on server performance or latency.

Server Name Indication: The Server Name Indication (SNI) extension to SSL/TLS allows for more efficient use of iP addresses when serving multiple domains. However, these technologies are not supported by some legacy clients. An example of SNI also known as Fully Qualified Domain Name (FQDN) would be www.energy.gov.

Mixed Content: Websites served over HTTPS need to ensure that all external resources (images, scripts, fonts, iframes, etc.) are also loaded over a secure connection. Modern browsers will refuse to load many insecure resources referenced from within a secure website. When migrating existing websites, this can involve a combination of automated and manual effort to update, replace, or remove references to insecure resources. For some websites, this can be the most time consuming aspect of the migration process.

APis and Services: Web services that serve primarily non-browser clients, such as web APis, may require a more gradual and hands-on migration strategy, as not all clients can be expected to be configured for HTTPS connections or to successfully follow redirects.

Planning for Change: Protocols and web standards improve regularly, and security vulnerabilities can emerge that require prompt attention. With that said Admin may have to be upgrade their system typologies in order to meet this standard. Federal websites and services should also deploy HTTPS in a manner that allows for rapid updates to certificates, proper cipher choices.

One standard that has effected legacy systems that will need to be taken into account is the SHA2 standard due to the SHA1 vulnerability that has taken effect in the commercial browser industry. For Example, old Microsoft IIS6 (Server 2003) systems lack the ability to understand the SHA2 algorithm due to its 12 year outdated software. Federal web service admins should evaluate the feasibility of using technology to improve performance efficiency and may have to upgrade their infrastructure as soon as possible.ssl/tls certificate

In order to secure and implement HTTPS a Digital Server Certificate will have to be issued to the SNI/FQDN for that implemented HTTPS Web Service. Issued by a Trusted Authority.

The Office of Management and Budget (OMB) affirms that tangible benefits to the American public outweigh the cost to the taxpayer. Implementation of Server Certificates with HTTPS will help fight unofficial or malicious websites claiming to be Federal services, and block hacker eavesdropping on communications with official U.S. government sites.

Acmetek Global Solutions, Inc. is very familiar with the standards of the industry and have the Managed PKI solutions & recommendations needed to assist Federal/State government agencies on matters of Web Network Security.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.

End of Life Announcement for Symantec ECA Certificates

Symantec will be discontinuing the availability of its External Certificate Authority ECA Certificates offering. Symantec is phasing out this offering as follows:

 

August 16, 2016 – End of Sale: Symantec will stop selling the ECA oDoD Department of Defenseffering. No new ECA certificates will be issued.

August 16, 2016 – End of Renewal: Symantec will stop renewals for all the existing certificates.

August 17, 2017 – End of Life: All certificates will expire or are revoked. Symantec ECA operations will cease.

What is a ECA Certificate?

Symantec was certified by the United States Department of Defense (DoD) as a provider of External Certification Authority (ECA) digital certificates for government contractors, state and local governments and employees of foreign governments. ECA certificates enable secure on-line transactions with DoD agencies, digitally signing documents, and encrypting e-mail communications.

Who does this effect?

If you are not interacting with the Department of Defense then this will not effect you. This only effects those who do business or work for the DoD digitally in order to gain access to DoD systems. If you do work for the DoD ask the proper DoD IT security agent for more information. More than likely though you should have received some sort of information if this directly effects you from an DoD entity.

If you need more information and to stay up to date on the Symantec ECA and its End of Life visit

https://www.symantec.com/products/information-protection/eca-certificates


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

Become a Partner and create additional revenue stream while the heavy lifting for you.

End of Life Announcement for Symantec Digital ID for Secure Email

End of Life Announcement for Symantec Digital ID for Secure Email

Symantec will be discontinuing the availability of its Digital ID for Secure Email offering. To ease this transition, Symantec is phasing out this offering as follows:

August 22, 2016 – End of Sale: Symantec will stop selling the Digital IDs offering. No new certificates will be issued.

August 23, 2017- End of Life & End of Support: All certificates will expire or are revoked. Symantec Digital IDs for Secure Email support and operations will cease.

Why? For a more secure world of course

The retail versions of the Symantec Digital IDs for Secure Email did not accurately authenticate clients. When the Digital ID certificate would get issued Symantec placed “Persona Not Validated” in the Common Name field of these certificates because Symantec does not verify that the individual registering the email is indeed legally recognized by that name. Because this ID is not validated, to separate these certificates from those that are validated through a notary enrollment process, they are designated as not validated.

Example:

Authentication procedures cannot prove that the retail enrolled person for the digital ID is indeed JON DOE with an email of likescheese@mailcom. Thus why the certificates in the common name would state “Persona Not Validated

Alternatively, customers can purchase an ENTERPRISE offering (NOT the RETAIL offering) to protect digital communication. These User Authenticated notarized certificates accurately state a users name for which they are issued to because of validated checks that are performed within the enrolled organization.

Digital IDs for Secure Email (Class 1) Support can be found here and any concerns can be address by sending an email to id-queries@symantec.com

What do User Digital IDs Do in General?

Compromised email can mean loss of IP and damage to reputation. A digital ID is like an electronic driver’s license or passport that proves your identity. Digital IDs allow you to digitally sign and encrypt your digital communications using a certificate, bound to your validated email address. Digital certificate

Use Digital IDs to:

  • Digitally sign email: A red ribbon icon on the email indicates it came from a valid email address.
  • Encrypt email: A blue envelope icon on the email indicates it remained private during transmission (only the recipient can securely open it).
  • General signature and encryption: Microsoft Word allows for digital signing of Word documents.
  • In Enterprise environments it Authenticates digitally the holder of the certificate to be used and gain access to applications or network environments.

About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

Become a Partner and create additional revenue stream while the heavy lifting for you.

GoDaddy & Let’s Encrypt Causes Security Concerns and Leaks.

GoDaddy last week has begun the process of re-issuing SSL certificates for more than 6,000 customers after a bug was discovered with there DV (Domain Validated) automated registrar’s validation process. This automated process of getting a certificate is one of the fastest ways of getting a validated digital certificate used to encrypt and validate websites or networks.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. ” “The bug caused the domain validation process to fail in certain circumstances.” Thayer VP and General Manager of Security Products at GoDaddy said in a statement.

When we hear terms such as “Improve Certificate Issuance Process” it usually means make things faster, or more automated. Keep in mind that GoDaddy is not a security company they are into hosting. Being a Certificate Authority (CA) is just a by product of the service they provide. The issue exposed sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site. Enabling a hacker the spread of malware, or steal personal information such as Banking login credentials. This move to “Improve” a certificate issuance comes from fear from a new free CA that has debut called Let’s Encrypt.

Let’s Encrypt is a free, automated, and open CA brought to you by the non-profit Internet Security Research Group (ISRG). The move for this free automated process is to help the industry migrate to enable HTTPS(SSL/TLS) for websites in the most user friendly way possible. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

Features of Let’s Encrypt.

  • Let’s Encrypt issues Only domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
  • Let’s Encrypt issues certificates valid for 90 days. Their reason is that these certificates “limit damage from key compromise and mis-issuance” and encourage automation. The official certbot client and most of the third-party clients allow automation of the certificate renewal.
  • Only Open Source Linux systems are capable with Lets’Encrypt automation.
  • No wildcard functionality (currently).
  • Elimination of payment, web server configuration, validation email management and certificate renewal tasks.

The Ugly/Disadvantages:malvertising

  • One disadvantage that makes big companies Not consider Let’s Encrypt is that visitors that connect to the site can’t be sure that it is the actual company that hosts the site. This is because Let’s Encrypt issues DV certificates for a domain free of charge without identity validation (personal or corporate)
  • Automatic renewal of these certificates tends to lead IT admins to neglect security upkeep’s on there systems. Majority of the time when an admin is made to visit a system due to a certificate needing an update they discover that they are out of compliance with needed patches and configurations. This can lead to backdoor hacking due to dated software and standards if left untouched.
  • The free cost of these certificate allows hackers to achieve a certificate. The potential for Let’s Encrypt being abused by those who can freely get these certificates are very present. Hackers tend to not want to spend money to achieve their goals.

Any technology that is meant for good can be abused by cyber criminals, and digital certificates like those of Let’s Encrypt’s are no exception. This trust system can be abused. There is one reported case where an attacker/malvertiser was able to perform a technique called “domain shadowing.” Domain shadowing is when the attacker is able to create sub domains under the legitimate site. With an embedded advertisement on a website an end user could click on a malicious add thinking that they are visiting an alternate page. In reality though they have been lead to the hackers malvertising server which could download a trojan or Randsomeware into that users system. A certificate authority that automatically issues free certificates specific to these sub-domains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it.

Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this will not validate the identity of the recipient. End users that visit these sites are unaware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public. There is nothing wrong with the procurement of a DV certificate. Depending on the circumstances DV is advised for internal networks when there is a need for a quick cost effective resolution. Security is always is a Pro-Active industry. Cutting corners and making things easy for the sake of convenience is a double edge sword, and could lead to a loss of business and good reputation. Needless to say approach with caution.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter