Announcements & Articles
Stay informed about the Acmetek Announcements & Articles and more.

GoDaddy & Let’s Encrypt Causes Security Concerns and Leaks.

GoDaddy last week has begun the process of re-issuing SSL certificates for more than 6,000 customers after a bug was discovered with there DV (Domain Validated) automated registrar’s validation process. This automated process of getting a certificate is one of the fastest ways of getting a validated digital certificate used to encrypt and validate websites or networks.

“GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. ” “The bug caused the domain validation process to fail in certain circumstances.” Thayer VP and General Manager of Security Products at GoDaddy said in a statement.

When we hear terms such as “Improve Certificate Issuance Process” it usually means make things faster, or more automated. Keep in mind that GoDaddy is not a security company they are into hosting. Being a Certificate Authority (CA) is just a by product of the service they provide. The issue exposed sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site. Enabling a hacker the spread of malware, or steal personal information such as Banking login credentials. This move to “Improve” a certificate issuance comes from fear from a new free CA that has debut called Let’s Encrypt.

Let’s Encrypt is a free, automated, and open CA brought to you by the non-profit Internet Security Research Group (ISRG). The move for this free automated process is to help the industry migrate to enable HTTPS(SSL/TLS) for websites in the most user friendly way possible. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

Features of Let’s Encrypt.

  • Let’s Encrypt issues Only domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
  • Let’s Encrypt issues certificates valid for 90 days. Their reason is that these certificates “limit damage from key compromise and mis-issuance” and encourage automation. The official certbot client and most of the third-party clients allow automation of the certificate renewal.
  • Only Open Source Linux systems are capable with Lets’Encrypt automation.
  • No wildcard functionality (currently).
  • Elimination of payment, web server configuration, validation email management and certificate renewal tasks.

The Ugly/Disadvantages:malvertising

  • One disadvantage that makes big companies Not consider Let’s Encrypt is that visitors that connect to the site can’t be sure that it is the actual company that hosts the site. This is because Let’s Encrypt issues DV certificates for a domain free of charge without identity validation (personal or corporate)
  • Automatic renewal of these certificates tends to lead IT admins to neglect security upkeep’s on there systems. Majority of the time when an admin is made to visit a system due to a certificate needing an update they discover that they are out of compliance with needed patches and configurations. This can lead to backdoor hacking due to dated software and standards if left untouched.
  • The free cost of these certificate allows hackers to achieve a certificate. The potential for Let’s Encrypt being abused by those who can freely get these certificates are very present. Hackers tend to not want to spend money to achieve their goals.

Any technology that is meant for good can be abused by cyber criminals, and digital certificates like those of Let’s Encrypt’s are no exception. This trust system can be abused. There is one reported case where an attacker/malvertiser was able to perform a technique called “domain shadowing.” Domain shadowing is when the attacker is able to create sub domains under the legitimate site. With an embedded advertisement on a website an end user could click on a malicious add thinking that they are visiting an alternate page. In reality though they have been lead to the hackers malvertising server which could download a trojan or Randsomeware into that users system. A certificate authority that automatically issues free certificates specific to these sub-domains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it.

Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this will not validate the identity of the recipient. End users that visit these sites are unaware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public. There is nothing wrong with the procurement of a DV certificate. Depending on the circumstances DV is advised for internal networks when there is a need for a quick cost effective resolution. Security is always is a Pro-Active industry. Cutting corners and making things easy for the sake of convenience is a double edge sword, and could lead to a loss of business and good reputation. Needless to say approach with caution.


Posted by:
Dominic Rafael
Lead Tech Solutions Engineer
Be sure to Subscribe!!
twitter

Encryption Standards Require Replacing SHA1 With SHA2 Certificates

What is SHA1 and why is it being depreciated?

Security always needs to be a proactive campaign. Not updating or keeping up with the progress of technology will open doors in security and will leave businesses open to be hacked.

SHA1 was the Algorithm that was used to create and sign encryption keypairs that are used to scramble data on websites, and applications. SHA1 was a replacement for MD5, and now SHA2 is the replacement for SHA1. 

 The CA/Browser Forum, is the governing entity of leading web browsers and certificate authorities (CAs) working together to stay proactive with security and publish their Baseline Requirements for SSL regarding the security standards of the web industry. These Requirements recommend that all CAs transition away from SHA-1 as soon as possible, and to discontinuing issuing SHA1 public facing certificates. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited. 

Browser’s like Internet Explorer,  Firefox and Chrome are inforcing these standards but placing errors within their browsers associated with these standards. According to Google’s “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
In short:
Most browsers will not trust certificates that use SHA1 After 12/31/2016.

If you do not want to get an error on your website you will have to replace that old SHA1 certificate with a newer SHA2. 

 

How to Replace your old SHA1 certificate with SHA2?

To do list:

  1. Identify certificates that have a SHA-1 algorithm. Since the standard is already in effect you would definitely know if you still have a SHA1 certificate from the browser errors you would be getting in chrome.
  2. Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
    Note: If your SSL certificate was issued through Acmetek Click HERE.
  3. Install your new SHA2 SSL Certificate to your server.
  4. Test your SSL installation by using an SSL Checker.

These standards are always changing. Especially with how fast new technologies are coming out. SSL Certificates are a method of enforcing industry standards to make a more secure internet for everyone.


About SSLSupportDesk:

SSLSupportDesk is part of Acmetek who is a trusted advisor of security solutions and services. They provide comprehensive security solutions that include Encryption & Authentication (SSL), Endpoint Protection, Multi-factor Authentication, PKI/Digital Signing Certificates, DDOS, WAF and Malware Removal. If you are looking for security look no further. Acmetek has it all covered!

Contact an SSL Specialist to get a consultation on the Website Security Solutions that can fit your needs.

Become a Partner and create additional revenue stream while the heavy lifting for you.