Announcements & Articles : All Posts

  • February 14, 2017

    WhatsApp Enables Two Factor Authentication Strengthening it’s Security.

     

    WhatsApp is a widely popular free to use cross platform smart phone mWhatsAppmessaging application that allows users to use their phone service and wifi internet to make voice/video calls, send text messages, documents, images, gif’s, user locations, etc. Its popularity is primarily due to where data rates or roaming charges can cost an arm and a leg.

    WhatsApp Inc., based in Mountain View, California, was acquired by Facebook in February 2014 for ridiculous $19.3 billion US Dollars. By February 2016, WhatsApp has a user base of over one billion, making it the most popular messaging application at the time.

    Over the recent years Privacy and Security has been a focus on the popular message app. In 2014 WhatsApp implemented end to end https encryption scrambling the information between communicating users. The latest Security implementation is the coming of Two-Step Verification.

     

    What is Two-Step Verification?

     

    Two-step verification is an optional feature that adds more security to your account. The technology is not new, and it has been in use for quite some time. Blizzard Inc. creator of the biggest online MMO (Massive Multiplayer Online) game World Of Warcraft implemented two factor authentication back in 2008 to protect gamers accounts from being hacked. Two-step, or Two-Factor Authentication protects your accounts by requiring you to provide an additional piece of information after you give your password In the most common implementation, after correctly entering your password, an online service will send you a text message or an email with a unique string of numbers that you’ll need to punch in to get access to your account.

     

    Implementing Two Step Verification on WhatsApp:

     

    To enable two-step verification, open WhatsApp > Settings > Account > Two-step verification > Enable.

    Upon enabling this feature, you can also optionally enter your email address. This email address will allow WhatsApp to send you a link via email to disable two-step verification in case you ever forget your six-digit passcode, and also to help safeguard your account. WhatsApp will not verify this email address to confirm its accuracy. You will want to provide an accurate  email address so that you’re not locked out of your account if you forget your passcode.

     

    How it works..

    After implementing Two-Step Verification if you receive an email to disable two-step verification, or receive a pass-code request but did not request this, do not click on the link! Someone could be attempting to verify your phone number on WhatsApp elsewhere. Meaning that someone is attempting to gain access to your account! Stay secure.


    About SSLSupportDesk:

    SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

    Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

    Become a Partner and create additional revenue stream while the heavy lifting for you.

  • January 27, 2017

    GoDaddy last week has begun the process of re-issuing SSL certificates for more than 6,000 customers after a bug was discovered with there DV (Domain Validated) automated registrar’s validation process. This automated process of getting a certificate is one of the fastest ways of getting a validated digital certificate used to encrypt and validate websites or networks.

    “GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process. ” “The bug caused the domain validation process to fail in certain circumstances.” Thayer VP and General Manager of Security Products at GoDaddy said in a statement.

    When we hear terms such as “Improve Certificate Issuance Process” it usually means make things faster, or more automated. Keep in mind that GoDaddy is not a security company they are into hosting. Being a Certificate Authority (CA) is just a by product of the service they provide. The issue exposed sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site. Enabling a hacker the spread of malware, or steal personal information such as Banking login credentials. This move to “Improve” a certificate issuance comes from fear from a new free CA that has debut called Let’s Encrypt.

    Let’s Encrypt is a free, automated, and open CA brought to you by the non-profit Internet Security Research Group (ISRG). The move for this free automated process is to help the industry migrate to enable HTTPS(SSL/TLS) for websites in the most user friendly way possible. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.

    Features of Let’s Encrypt.

    • Let’s Encrypt issues Only domain-validated certificates, since they can be fully automated. Organization Validation and Extended Validation Certificates are not available.
    • Let’s Encrypt issues certificates valid for 90 days. Their reason is that these certificates “limit damage from key compromise and mis-issuance” and encourage automation. The official certbot client and most of the third-party clients allow automation of the certificate renewal.
    • Only Open Source Linux systems are capable with Lets’Encrypt automation.
    • No wildcard functionality (currently).
    • Elimination of payment, web server configuration, validation email management and certificate renewal tasks.

    The Ugly/Disadvantages:malvertising

    • One disadvantage that makes big companies Not consider Let’s Encrypt is that visitors that connect to the site can’t be sure that it is the actual company that hosts the site. This is because Let’s Encrypt issues DV certificates for a domain free of charge without identity validation (personal or corporate)
    • Automatic renewal of these certificates tends to lead IT admins to neglect security upkeep’s on there systems. Majority of the time when an admin is made to visit a system due to a certificate needing an update they discover that they are out of compliance with needed patches and configurations. This can lead to backdoor hacking due to dated software and standards if left untouched.
    • The free cost of these certificate allows hackers to achieve a certificate. The potential for Let’s Encrypt being abused by those who can freely get these certificates are very present. Hackers tend to not want to spend money to achieve their goals.

    Any technology that is meant for good can be abused by cyber criminals, and digital certificates like those of Let’s Encrypt’s are no exception. This trust system can be abused. There is one reported case where an attacker/malvertiser was able to perform a technique called “domain shadowing.” Domain shadowing is when the attacker is able to create sub domains under the legitimate site. With an embedded advertisement on a website an end user could click on a malicious add thinking that they are visiting an alternate page. In reality though they have been lead to the hackers malvertising server which could download a trojan or Randsomeware into that users system. A certificate authority that automatically issues free certificates specific to these sub-domains may inadvertently help cyber criminals, all with the domain owner being unaware of the problem and unable to prevent it.

    Domain-validation certificates only confirm that the relevant domain is under the control of the site recipient. In theory, this will not validate the identity of the recipient. End users that visit these sites are unaware of the nuances of certificates may miss the differences, and as a result, these DV certificates can help the hacker gain legitimacy with the public. There is nothing wrong with the procurement of a DV certificate. Depending on the circumstances DV is advised for internal networks when there is a need for a quick cost effective resolun.Security is always is a Pro-Active industry. Cutting corners and making things easy for the sake of convenience is a double edge sword, and could lead to a loss of business and good reputation. Needless to say approach with caution.

    Posted by:
    Dominic Rafael
    Lead Tech Solutions Engineer
    Be sure to Subscribe!!
    twitter

  • January 10, 2017

    How to Replace SHA-1 with SHA-2 certificates:

    Depending on what Certificate Authority and how you purchased your certificate a reissue of the certificate may be available to you. This would require a New CSR to be generated typically with a reissue or replace option available in a portal that is used to manage your SSL certificate. The end result will be a new SHA2 SSL certificate issued that will then have to be reinstalled back on the server system.

    1. Identify certificates that have a SHA-1 algorithm.
      Knowing the Order number or Common Name of the SSL certificate issued will typically be required.
    2. If your SSL certificate was issued through Acmetek Click HERE.
      Note: Contact your Certificate Authority for procedures in replacing any SHA-1 certificates with the SHA-2 certificates.
    3. Install the new SHA-2 end-entity/SSL Certificate and SHA-2 Intermediate CA certificate to your server.
    4. Test your SSL installation by using an SSL Checker.

    Why the SHA-1 Depreciation?

    SHA-1’s use on the Internet has been deprecated since 2011. The CA/Browser Forum, an industry group of leading web browsers and certificate authorities (CAs) working together published their Baseline Requirements for SSL regarding this depreciation. These Requirements recommended that all CAs transition away from SHA-1 as soon as possible, and followed similar events in other industries and sectors, such as NIST deprecating SHA-1 for government use in 2010. The reason being that due to the progress of technology this old algorithm is on the verge of being exploited.
    Microsoft and Google announced SHA-1 deprecation plans that may affect websites with SHA-1 certificates have already been taken into effect. According to Google’s blog on “Gradually Sunsetting SHA-1”, Chrome version 39 and later will display visual security indicators on sites with SHA-1 SSL certificates with validity beyond January 1, 2016.
    In short:
    After 12/31/2016, most browsers will not trust certificates that use SHA1. Use SHA2 instead.

    Purpose of Migration:

    Some organizations may state their systems cant understand SHA2 and they need this industry standard extended. But at some point those organizations need to take into account that these standards have been implemented since 2011. The constant rhetoric of “oh we will upgrade next year” will never happen, and if the industry were to extend insecure practices while faced with ample evidence of their weaknesses this would put the entire community at risk. As the progress of technology ever evolves so do the security risks. Stagnation is what leaves a network vulnerable.


    About SSLSupportDesk:

    SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.
    Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.
    Become a Partner and create additional revenue stream while the heavy lifting for you.

  • December 30, 2016

    After your certificate has been issued like the majority of server systems you will install your SSL certificate on the same server where your Certificate Signing Request (CSR) was created. This is because your private key will always be left on the server system where the CSR was originally created. It will be either in the application or left somewhere on a directory and path you choose when you generated the CSR. Your SSL certificate will not work without this private key file.

    If you do not see your server listed perform a search, or you may have to contact your server vender or hosting provider for best practices on how to install a SSL certificate on your system.

    Check your SSL installation with the Symantec Certificate Checker 

    Instructions for server vendors:


    A:
    Apache (OpenSSL/Nginx, ModSSL)

    Apple Mac OS x 10.6
    Apple Mac OS x 10.11

    Aruba ClearPass


    B:
    Barracuda SSL VPN


    C:
    Citrix Netscaler

    Cisco ASA 5510
    Cisco Wireless LAN Controller

    cPanel


    F:
    F5 BIG IP
    F5 FirePass

    FortiGate


    I:
    IBM AS/400 iSeries
    IBM WebSphere


    J:
    Juniper

    JBoss http

    JBoss Tomcat using x509 
    JBoss Tomcat pkcs7


    K:
    Kemp 6.x


    M:
    Microsoft Azure

    Microsoft Active Directory LDAP

    Microsoft Exchange 2010
    Microsoft Exchange 2013

    Microsoft Forefront

    Microsoft Sever 2008 – IIS 7 & 7.5
    Microsoft Server 2012 – IIS 8 & 8.5

    Microsoft Lync

    Microsoft Office 365

    Microsoft Sharepoint 2010
    Microsoft Sharepoint 2013


    O:
    Oracle Wallet Manager


    P:
    Plesk 11.x
    Plesk 12


    S:
    SonicWall

    SAP Web Application Server

    SRT Titain FTP


    T:
    Tomcat pkcs7 
    Tomcat x509


    W:
    Web Host Manager (WHM)


    Z:
    Zimbra


    About SSLSupportDesk:

    SSLSupportDesk is part of Acmetek who is a Symantec Website Security Solutions Authorized Distributor and a Platinum Partner. Acmetek offers all 4 Brands of SSL Certificates: Symantec, Thawte, GeoTrust and RapidSSL. Offering Norton Shopping Guarantee that inspires trust and increases online sales with a 20x ROI Guarantee.

    Contact an SSL Specialist to buy your SSL Certificates from Acmetek, a Symantec Strategic/Platinum Distributor.

    Become a Partner and create additional revenue stream while the heavy lifting for you.