If you're still using TLS-SNI, stop: a year after a slip-up allowed miscreants to claim Let's Encrypt certificates for domains they didn't own, the free certificate authority has announced the final sunset of the protocol involved.In January 2018, Let's Encrypt discovered that validation based on TLS-SNI-01 and its planned successor TLS-SNI-02 could be abused.As we explained at the time: "A company might have investors.techcorp.com set up and pointed at a cloud-based web host to serve content, but not investor.techcorp.com.An attacker could potentially create an account on said cloud provider, and add a HTTPS server for investor.techcorp.com to that account, allowing the miscreant to masquerade as that business – and with a Let's Encrypt HTTPS cert, too, via TLS-SNI-01, to make it look totally legit.”The SNI extension to the TLS protocol is supposed to validate the name presented by the server, something particularly important when a single IP address is serving a large number of websites.As we noted last year, the opportunity for abuse arises if the hosting provider doesn't verify ownership of a domain.
We like to think of ourselves as nerds here at TechCrunch, which is why we’re bringing you this.During the government shutdown, security experts noticed several federal websites were throwing back browser errors because the TLS certificate, which lights up your browser with “HTTPS” or flashes a padlock, had expired on many domains.And because so many federal workers have been sent home on unpaid leave — or worse, working without pay but trying to fill in for most of their furloughed department — expired certificates aren’t getting renewed.Depending on the security level, most websites will kick back browser errors.We got thinking: How many of the major departments and agencies are at risk?We looked at the list of government domains (not including subdomains) from 18F, the government’s digital services unit, which updated the list just before the shutdown.
Federal authorities and private researchers are alerting companies to a wave of domain hijacking attacks that’s using relatively novel techniques to compromise targets at an almost unprecedented scale.The attacks, which security firm FireEye said have been active since January 2017, use three different ways to manipulate the Domain Name System records that allow computers to find a company's computers on the Internet.By replacing the legitimate IP address for a domain such as example.com with a booby-trapped address, attackers can cause example.com to carry out a variety of malicious activities, including harvesting user’s login credentials.The techniques detected by FireEye are particularly effective, because they allow attackers to obtain valid TLS certificates that prevent browsers from detecting the hijacking.“A large number of organizations has been affected by this pattern of DNS record manipulation and fraudulent SSL certificates,” FireEye researchers Muks Hirani, Sarah Jones, Ben Read wrote in a report published Thursday.“They include telecoms and ISP[s], government and sensitive commercial entities.” The campaign, they added, is occurring around the globe at “an almost unprecedented scale, with a high degree of success.”
Apple's Safari team, following Chrome's lead, has begun warning people when they're visiting websites that aren't protected by HTTPS encryption.The feature for now is only in Safari Technology Preview 70, a version of the web browser Apple uses to test technology it typically brings to the ordinary version of Safari.Apple released the update Wednesday.Apple is trying hard to improve privacy right now, an effort that could dispel apathy about the issue and help Apple stand out from tech rivals.It's also meant Apple has butted heads with law enforcement officials and politicians who want to preserve something like the ability to tap phone lines.But when it comes to pushing website operators to secure connections, it's been players like Google, Mozilla and Cloudflare that took the initiative.
Fortnite opportunists have plagued the internet since the game’s launch; WIRED has previously looked at the scourge of fake app downloads connected to the game’s controversial Android launch.But a new report from security firm ZeroFox lays bare just how broadly these scams have proliferated across social media, YouTube, and thousands of domains.“Once we started digging into it, we uncovered a lot of stuff,” says Zack Allen, director of threat operations at ZeroFox.By the numbers, that “stuff” comprises over 4,770 live domains dedicated to Fortnite scams; 1,390 YouTube videos advertising malicious links with combined views in the millions; and hundreds of links on social media every day that lead to fraudulent destinations.The fraud generally centers around V-Bucks, the in-game currency that that players use to purchase various items and upgrades.Scammers typically try to lure people who’d rather not pay up, offering “V-Cash generators” and fake coupons in exchange for personal information, credit card numbers, or ad clicks that generate revenue for the crooks.
The free-to-use non-profit founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more.Three years ago Friday, it issued its first certificate.To date, more than 380 million certificates have been issued on 129 million unique domains.Let’s Encrypt now secures 75 percent of the web, according to public Firefox data.That also makes it the largest certificate issuer in the world by far.“Change at that speed and scale is incredible,” a spokesperson told TechCrunch.
The news benefits newer operating systems, devices, and browsersLet’s Encrypt is now trusted by all major certificates, paving the way forward for more widespread encryption on the Web.This week, the certificate authority (CA) said they are now directly trusted by all major authorities, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.Let’s Encrypt is on a mission to bring encryption to webmasters worldwide.The service, offered by the Internet Security Research Group (ISRG), offers free SSL and TLS certificates in order to “create a more secure and privacy-respecting Web.”Now, all major certificate authorities and browsers will accept Let’s Encrypt certification as legitimate.
Back in February, Google announced its plans to label all sites accessed over regular unencrypted HTTP as "not secure," starting in July.Today, the company described the next change it will make to its browser: in September, Google will stop marking HTTPS sites as secure.The background to this change is the Web's gradual migration to the use of HTTPS rather than HTTP.With an ever-growing fraction of the Web being served over secure HTTPS—something now easy to do at zero cost thanks to the Let's Encrypt initiative—Google is anticipating a world where HTTPS is the default.In this world, only the occasional unsafe site should have its URL highlighted, not the boring and humdrum secure site.Most HTTP sites will get a regular gray "Not secure" label in their address bar.
Let's Encrypt has updated its certificate automation support and added Wildcard Certificates to its system.Certificate automation replaces what are otherwise manual and ad hoc mechanisms to apply for an X.509 certificate, and for the applicant's admins to prove they manage the domain in the certificate.ACME is the automation standard Let's Encrypt first wrote.It's described here (the proposed version is in its tenth edit).Written with input from Let's Encrypt, Cisco, the EFF and the University of Michigan, the ACME v2 document says the manual certificate application process looks like this:Create the certificate signing request (CSR) and paste it into a certificate authority's (CA's) Web page;
In July of 2017, the nonprofit certificate authority Let's Encrypt promised to deliver something that would put secure websites and Web applications within reach of any Internet user: free "wildcard" certificates to enable secure HTTP connections for entire domains.Today, Let's Encrypt took that promised service live, in addition to a new version of the Automated Certificate Management Environment (ACME) protocol, an interface that can be used by a variety of client software packages to automate verification of certificate requests.ACME version 2 "has gone through the IETF standards process," said Josh Aas, executive director of the Internet Security Research Group (ISRG), the group behind Let's Encrypt, in a blog post on the release.ACME v2 is currently a draft Internet Engineering Task Force standard, so it may not yet be in its final form.But the current version is the result of significant feedback from the industry.And its use is required to obtain wildcard certificates.
We've seen hosting plans offer as few as five email addresses for a website, and with inboxes limited to a few hundred megabytes, that’s potentially a major issue for any business.It's a strong all-round package, but if you need more, DreamHost also offers everything from managed WordPress and WooCommerce, to VPS, Dedicated and Cloud Hosting plans.You can avoid long-term contracts by signing up for monthly billing, which costs $10.95 (£7.80) a month for shared hosting.Choose the three-year plan and the price drops to $7.95 (£5.70) a month, though.If there's a hardware failure, your website can immediately be switched to another server.The high-end features continue with a distributed Varnish caching setup to accelerate the loading of your static content, freeing up RAM and CPU time for producing dynamic content.
You'll need to find your own themes and plugins.If you don't have the time or technical experience for all that, you might prefer to buy a managed WordPress plan, and have the hosting company handle all the technical bits for you.The best hosts go even further, optimizing their servers to boost WordPress performance, and sometimes throwing in extras like a content delivery network (CDN) to deliver great speeds worldwide (hopefully).Whether you're a first-time user or a big business, there's something for you here, and with prices starting at around a pound per month, it's well worth taking the time to find out more.Check out the best web hosting services for 2018Managed WordPress packages can often feel overpriced.
Shared hosting oversight bites free SSL/TLS certificate orgLet's Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it's insecure in the context of many shared hosting providers.TLS-SNI is one of three ways Let's Encrypt's Automatic Certificate Management Environment (ACME) protocol validates requests for TLS certificates, which enable secure connections when browsing the web, along with the confidence-inspiring display of a lock icon.The problem is that TLS-SNI-01 and its planned successor TLS-SNI-02 can be abused under specific circumstances to allow an attacker to obtain HTTPS certificates for websites that he or she does not own.Such a person could, for example, find an orphaned domain name pointed at a hosting service, and use the domain – with an unauthorized certificate to make fake pages appear more credible – without actually owning the domain.For example, a company might have investors.techcorp.com set up and pointed at a cloud-based web host to serve content, but not investor.techcorp.com.
* And everyone else, too, of courseLet's Encrypt plans to begin offering free wildcard certificates in January 2018, a move likely to make web security easier and a bit less costly for many organizations.Announced in 2014 as an effort to enhance and accelerate online security, the public benefit certificate authority (CA) has been issuing free X.509 (TLS/SSL) certificates through an automated process that allows websites, given the technical requirements, to be accessed over encrypted HTTPS rather than the unprotected HTTP.Since its inception, Let's Encrypt has helped make the horribly insecure web less so.In a blog post, Josh Aas, executive director for the non-profit Internet Security Research Group, which operates Let's Encrypt on behalf of partner organizations, said the CA has secured 47 million domains through its free automated Domain Validation (DV) certificate API."This has contributed heavily to the Web going from 40% to 58% encrypted page loads since Let’s Encrypt's service became available in December 2015," said Aas.
Let's Encrypt, the free and open certificate authority (CA) launched as a public service by the Internet Security Research Group (ISRG), says it will begin providing free "wildcard" certificates for Internet domains in January 2018.Wildcard certificates allow anyone operating a domain to link a single certificate to multiple subdomains and host names within a domain.That means a single free certificate could be used to provide HTTP Secure (HTTPS) encryption of pages on multiple servers or subdomains hosted on a single server, significantly lowering the barrier for adoption of HTTPS on personal and small business websites.In its current form, which requires registration of a certificate for each individual Web address, Let's Encrypt is used for HTTPS on more than 46 million websites.The organization issued its 100 millionth certificate on June 29.Currently, about 58 percent of webpage visits are encrypted via HTTPS based on browser metrics.
Founded back in 2003, A2 Hosting now provides products for just about all your web hosting needs.The company has a particular focus on performance, with website talk of ‘turbo servers’ and ‘up to 20x faster’ speeds for the top account, but there are plenty of other features on offer.Shared hosting starts with the Lite plan at £3 ($3.90) a month initially, doubling on renewal.Unusual extras include a free SSL certificate via Let's Encrypt.What you're getting is premium hosting on optimised servers (Turbo Cache, APC/OPcache, Memcached) with fewer users.There's also an unusual option to use an A2 Hosting subdomain, which allows you to postpone any domain decisions until later.
Usernames, passwords swiped for hours, malware dropped on PCsRather than picking off online banking customers one by one, ambitious hackers took control of a Brazilian bank's entire DNS infrastructure to rob punters blind.The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control of the bank's DNS hosting service using targeted attacks.They managed to transfer all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt.These sites masqueraded as the bank's legit online services, tricking marks into believing the malicious servers were the real deal.That allowed the crims to steal customers' usernames and passwords as they were typed into the sites' login boxes.
Google favors websites that are fully secure with an HTTPS URL.Even if you do not accept any transactions on your website i.e.like a blog it is still smart to attach a SSL certificate to your domain.Most SSL certificates will cost around $65 per year, but if you are using a hosting company like Dreamhost you can attach a free Let's Encrypt certificate easily with very little changes: https://letsencrypt.org/.That being said, once you have made the switch you need to make sure that your website is correctly redirecting traffic from the HTTP to HTTPS website via a 301 Redirect.If you are setting up the SSL through your hosting provider they should be able to help you with the redirect.
Two in three web pages served over the world's favourite web browser Chrome are now secured with HTTPS, Google says.The good news applies to Chrome on the desktop and signifies progress in the long-hoped-for decline of insecure cleartext browsing.Chrome security bods Adrienne Porter Felt and Emily Schechter say all platforms of desktop Chrome page loads are made over HTTPS."More than half of pages loaded and two-thirds of total time spent by Chrome desktop users occur via HTTPS, and we expect these metrics to continue their strong upward trajectory," the pair said.Free SSL certificate services including those offered by Let's Encrypt, Cloudflare, and Amazon along with a recent much heightened demand for better information security controls by internet users have contributed to the rise in SSL.The Google security duo say the sometimes difficult migration to SSL does not impact its DoubleClick, AdWords, or AdSense advertising platforms, nor the search listing rankings of sites that move to the more secure protocol.
Popular Bash shell script LetsEncrypt.sh, which is used to manage free SSL/TLS certificates from the Let's Encrypt project, has renamed this week to avoid a trademark row.LetsEncrypt.sh, written by Germany-based Lukas Schauer, is now known as Dehydrated.If you have scripts or apps that rely on pulling in his code and running it, they may stop working as a result of the name change.Dehydrated is developed independently by Schauer and is not officially affiliated with Let's Encrypt."This project was renamed from letsencrypt.sh because the original name was violating Let's Encrypt's trademark policy.I know that this results in quite a lot of installations failing but I didn't have a choice," reads the new Dehydrated README.