Monday, 30 April 2012

Learning about Secure Socket Layer (SSL) Certificates [Part 2 of a 4 part series]

1 comment:
If you've come to our GlobalSign website or been approached by any of us, you've probably seen the term SSL. We've started a four part series where we blog about SSL Security and what it means for you. Stay tuned each week as we break down SSL into bite-sized bits. 

This week, we'll introduce SSL Certificates and a little bit of technical background. 

What is an SSL Certificate?

SSL is a protocol, and in order to use the SSL protocol organisations need an SSL Certificate.  An SSL Certificate is a small data file that digitally binds a cryptographic key to your organization’s details, typically:

  • Your domain name, server name or hostname
  • Your company name and location
  • In certain cases your organisational contact details
An organisation needs to install the SSL Certificate onto their web server to initiate SSL sessions with browsers.  Once installed, it is possible to connect to the website over  as this tells the server to establish a secure connection with the browser.  Once a secure connection is established all web traffic between the web server and the web browser will be secure.

To view an SSL Certificate click on the padlock and select View Certificate.  All browsers show the Certificate slightly differently but the Certificate always contains the same information.
SSL Certificate example

To view the actual contents of the Certificate click the Details tab:

SSL Certificate Details Example

Click the Certification Path to see which Trusted Root Certificate has been used to issue the SSL Certificate:

SSL Certificate Root CA hierarchy

Why is the Root Certificate important?
SSL Certificates need to be issued from a trusted CA’s root Certificate.  The root Certificate must be present on the end-user’s machine in order for the SSL Certificate to be trusted.  If it is not trusted the browser will present untrusted error messages to the end user.

For e-commerce websites, such error messages may result in consumers doubting the credibility of the website. In fact, websites using untrusted SSL Certificates may risk losing confidence and business from the majority of consumers.

Companies like GlobalSign are known as trusted Certification Authorities. This is because browser and operating system vendors such as Microsoft, Mozilla, Opera, Blackberry, Java etc trust that GlobalSign is a legitimate Certification Authority and that GlobalSign can be relied on to issue trustworthy SSL Certificates.  The more applications, devices and browsers the Certification Authority embeds its root into, the better “recognition” the SSL Certificate can provide.

GlobalSign has, for over 15 years, been operating the GlobalSign Ready program for root Certificate embedding.  This program ensures its inhouse engineers from the US, UK, continental Europe and Asia are in constant communication with the application, device and browsers vendors to ensure the GlobalSign root Certificate is present everywhere that may be used for SSL sessions.

Read more about GlobalSign Root Certificate compatibility and how it benefits your website security
Root Certificate Store

The GlobalSign Root Certificate is marked for a number of intended purposes, this makes it a very strong, flexible all round Root Certificate able to perform all Public Key Infrastructure (PKI) related activities:
  • Ensures the identity of a remote computer
  • Proves your identity to a remote computer
  • Ensures software came from software publisher
  • Protects software from alteration after publication
  • Protects e-mail messages
  • Allows data to be signed with the current time
  • Allows data on disk to be encrypted
  • Allows secure communication on the Internet
  • All issuance policies
  • OCSP Signing
Next week, we'll focus on where SSL can be installed and used.

Monday, 23 April 2012

Introduction SSL Certification [Part 1 of a 4 part series]

1 comment:
If you've come to our GlobalSign website or been approached by any of us, you've probably seen the term SSL. We've started a four part series where we blog about SSL Security and what it means for you. Stay tuned each week as we break down SSL into bite-sized bits.

This week, we'll start off with some SSL introductions.

What is SSL?
The Secure Sockets Layer (SSL) (and Transport Layer Security (TLS)) is the most widely deployed security protocol used today.  It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network.  In today’s Internet focused world, we typically see SSL in use when a web browser needs to securely connect to a web server over the insecure Internet. 

Technically SSL is a transparent protocol, which requires little interaction from the end user when establishing a secure session.  For example, in the case of a browser, users are alerted to the presence of SSL when the browser displays a padlock, or in the case of Extended Validation SSL the address bar displays both a padlock and a green bar.  This is the key to the success of SSL – it is incredibly simple experience for end users.

Extended Validation EV SSL Example

Extended Validation (EV) SSL Certificates (such as GlobalSign ExtendedSSL):
Standard SSL Certificates (such as GlobalSign DomainSSL and OrganizationSSL):
Standard SSL Example
As opposed to HTTP URLs which begin with "http://" and use port 80 by default, HTTPS URLs begin with "https://" and use port 443 by default.

HTTP is insecure and is subject to eavesdropping attacks which, if critical information like credit card details and account logins is transmitted and picked up, can let attackers gain access to online accounts and sensitive information. Ensuring data is either sent or posted through the browser using HTTPS, such information is encrypted and is secure.

SSL in Practice
SSL can be used in the following workflows and services:
  • To secure online credit card transactions, In 2006 alone there were 210 million users online spending over $130 billion through their PCs / laptops / PDAs and mobile phones.  SSL *should* have been used to secure each and every one of these transactions!
  • To secure online system logins, sensitive information transmitted via web forms, or protected areas of websites.
  • To secure webmail and applications like Outlook Web Access, Exchange and Office Communications Server.
  • To secure workflow and virtualization applications like Citrix Delivery Platforms or cloud based computing platforms.
  • To secure the connection between an email client such as Microsoft Outlook and an email server such as Microsoft Exchange
  • To secure the transfer of files over https and FTP(s) services such as website owners updating new pages to their websites or transferring large files.
  • To secure hosting control panels logins and activity like Parallels, cPanel and others.
  • To secure intranet based traffic such as internal networks, file sharing, extranets and database connections.
  • To secure network logins and other network traffic with SSL VPNs such as VPN Access Servers or applications like the Citrix Access Gateway.
All these applications have a number of shared themes:
  • The data being transmitted over the Internet or network needs confidentiality, in other words, people do not want their credit card number, account login, passwords or personal information to be exposed over the Internet.
  • The data needs to remain integral, which means that once credit card details and the amount to be charged to the credit card have been sent, a hacker sitting in the middle cannot change the amount to be charged and where the funds should go.
  • Your organisation needs to assure your customers / extranet users that you are who you really say you are and not someone masquerading as you.
  • Your organisation needs to comply to regional, national or International regulations on data privacy, security and integrity.
We hope this helps! Stay tuned for part 2 next week when we delve into some SSL technicalities! 
Visit us at our website, for more information.

Friday, 13 April 2012

HSBC Customers Under Phishing Attack

No comments:
HSBC customers are currently being targeted with a fake warning of account suspension.

This was reported by Help Net Security, which also shared the screenshot below:

Credits to Help Net Security

Customers received an email that purported that someone has tried to access the user's account and failed, and the bank suspended the account in the interest of customer security.

However, the link listed in the email takes the victim to a phishing site made to look like HSBC's secure login page. Customers were then asked to input their personal account information, which included their user ID, name, date of birth, security number, account number and ATM pin to rpove their identity.

After the information was submitted, customers were redirected to the bank's legitimate page. However, by this time, the information was simultaneously sent to the phisher.

Key Indications of a Secure Website

For customers, protect yourself by looking out for a few key signs in your address bar:

Image from GMO GlobalSign 

The standard HTTP is changed to HTTPS, automatically telling the browser that the connection between the server and browser must be secured using SSL.

When visitors click on the padlock, a window will appear confirming the Certificate Authority and the details of the website owner, helping visitors verify that the website is really the company it claims to be.

Protect yourself with EV SSL

As phishing attacks continue to increase, any company providing customers with an account / login is a potential phishing target.  EV SSL helps protect your customers at the point of logging in by assuring them they’re on the real site and not a phishing site.

Elevate your site image

It doesn’t have to just be major brands that benefit from EV SSL.  Sites using EV SSL not only protect their brand but increase the level of trust and confidence that they’re a legitimate entity.  And if visitors trust your web site is authentic, they’re more likely to have the confidence to buy from you.  Using EV SSL helps even relatively small sites compete on a level playing field to larger, more established brands.

We hope this helps!

Monday, 2 April 2012

March Round-up

No comments:
It's already April folks! Here's our monthly round-up.

InfoSecurity Event in Malaysia 
We concluded our participation at Malaysia's inaugral InfoSecurity World Exhibition & Conference in Kuala Lumpur last month.

The infosecurity scene is definitely hotting up.

The days where we once could assume that safe data could remain safe are now over. Solutions are increasingly gaining in complexity with the rapid changes in technology. Protecting our data is an issue that should concern all of us. Our individual reputation, the economic well-being of the country, protection of intellectual property and even the sovereignty of a government are now dependent on how we safeguard our information and IT systems.

We learnt a lot about the Malaysian market as well as upcoming trends in the region. We were very fortunate to have met many of you who came down. Thank you so much for meeting up with the team.  

Do visit out Facebook Page for photos of the event!

GlobalSign launches open source PHP library for fully automated SSL secure site activation

OneClickSSL has simplified our lives by allowing for instant delivery of the highly secured GlobalSign SSL Certificates. GlobalSign is taking custom integration one step further by introducing a OneClickSSL open source library, removing any remaining integration hurdles for hosting companies wishing to increase SSL usage, whilst avoiding the customer service costs usually associated with supporting SSL.

Hosting companies only need to download the library to their server or application to benefit from instant provisioning of SSL Certificates. Once running, the OneClickSSL service automates the usual SSL process, from submitting the application for an SSL Certificate, to validating ownership of the domain, and installing the issued Certificate and related intermediate Certificates.

Find out more about the OneClickSSL open source library>

You can read the full March Newsletter here.