Subscribe:

Thursday, 28 July 2011

Skyypay Renews GeOTrust's EV SSL Certification


Casper, WY, July 3, 2011 – Skyy Services is proud to announce its renewal of GeoTrust’s EV (Extended Validation) SSL Certificate for its SkyyPay service (www.skyypay.com).  SkyyPay, the leading universal online payment processing provider, has yet again proven its commitment to provide a high level of security in protecting customers’ sensitive data.
GeoTrust
This certification confirms that SkyyPay customers may perform secure online transactions and conduct business over the Internet in complete security and confidence.  The EV SSL Certificate uses a more rigid standard of verification process that most companies can’t pass, therefore resulting in a high rejection ratio.
“The GeoTrust EV SSL Certification maximizes the security of our digital transactions and reinforces the legitimacy of our company,” said Ms. Meek, General Manager of Skyy Services.  “Customers will see the GeoTrust logo on our SkyyPay website and be reassured that all their transactions are safe.”After undergoing a long and thorough verification process, Skyy Services was able to renew its GeoTrust EV SSL Certificate, enabling SkyyPay as a leading online payment processing service to achieve this certification.  Obtaining this highest level of authentication re-affirms Skyy Services’ commitment to offer customers with products and services that are compliant with global standards.
About Skyy Services
Skyy Services is a full spectrum e-commerce agency providing innovative technology solutions to individuals and businesses worldwide.  The company’s wide array of online services help clients build, manage and grow their online business.  Founded in 2009, Skyy Services is headquartered in Hong Kong with branch offices in the Philippines and the United States.  For more information on Skyy Services and its products, please visit http://www.skyyservices.com.

About GeoTrust
A wholly owned subsidiary of Symantec, Corp. (NASDAQ: SYMC), GeoTrust is the world’s largest digital certificate provider.  More than 100,000 customers in over 150 countries trust GeoTrust to secure online transactions and conduct business over the Internet.  GeoTrust’s range of digital certificate and trust products enable organizations of all sizes to maximize the security of their digital transactions cost-effectively.  For more information, please visit http://www.geotrust.com.


Wednesday, 27 July 2011

EV SSL - the antidote for SSLStrip attacks


EV SSL allows software to authenticate strongly in ways which defeat the SSLStrip attack. We saw that with conventional certificates, especially domain-validated certificates, there is no reliable information to back up the authentication of the domain name. To address this critical problem, certificate authorities and software companies joined to form the CA/Browser Forum4 and promulgate a new standard called EV SSL for Extended Validation SSL.

EV SSL defines rules for who can qualify for such a certificate and the procedures a CA must follow in order to validate the information. For instance, they must validate that the organization exists as a legal entity, that any organization names are legal names for that organization, and that the applicant is authorized to apply for the certificate.

EV SSL allows software to authenticate strongly in ways which defeat the SSL Strip attack.; see Figure for an illustration The fields in the certificate generally ignored by conventional SSL implementations, such as organization name, are required in EV SSL and can be checked every time. This second-level of authentication ensures that the parties know exactly with whom they are communicating. Since certificates contain organization names that have been verified, users and applications that rely on EV SSL Certificate can verify the actual owner of the certificate with confidence 



EV SSL enables software to authenticate strongly in ways which defeat the SSLStrip attack. In addition to the domain name, the fields generally ignored by conventional SSL implementations, such as organization name, are required in EV SSL and can be checked reliably every time. This second-level of authentication ensures that the parties know exactly with whom they are communicating.

The specification is also clear about the information that must be provided by the applicant. Other rules are more restrictive than with conventional SSL. For instance, wildcard certificates, the type that make null character attacks even more dangerous, are not allowed in EV SSL.

EV certificates are also limited in lifetime relative to conventional certificates: the maximum validity period is 27 months. This ensures “freshness” of the information in the certificate.

In addition to collecting a proper EV Certificate request, containing much organization information including the jurisdiction of incorporation, and a signed subscriber agreement, the CA is required to verify that the organization exists and operates at the locations specified in the request. They may go to government sources for this. They have to verify that the entity exists at the physical address they specify. For business organizations a face-to-face verification of the principal individual in the entity is required.
The requirements go on and on for 93 pages. It would be very hard to get a fake EV certificate.

EV certificates enable strong authentication

Standards also specify what software needs to do in order to authenticate a party based on a certificate. Unlike the loose conventions which developed around conventional SSL, these rules must be followed for EV.

When encountering an EV certificate, a program must confirm first that the CSP (Certificate Service Provider), meaning the certificate authority who issued the EV certificate, is authorized to issue such certificates. Each CSP has a unique EV policy identifier associated with it which must be compared to the identifier in the end-entity certificate.

Applications that use EV certificates properly need to embed CSP root certificates in order to confirm that certificates they encounter are issued by trusted roots. Required procedures for CSPs to work with application developers, including providing test facilities, are defined by the CA/Browser Forum.

“Relying applications [clients authenticating certificates] must provide adequate protection against malign threats to the integrity of the application code and the CSP root.” This is the sort of requirement that needs some history to fully-define itself, but basically it puts the onus on application developers to take care to write secure code.

The rules state that applications must be able to handle key strength of symmetric algorithms of at least 128 bits.

Applications are required to check for revocation of the certificate before accepting it. The application should support both CRL and OCSP, although OCSP is clearly the wave of the future and the only scalable approach. (In his presentation Marlinspike suggests a method for bypassing OCSP by returning a “Try again later” code, in which case the application typically gives up and authenticates. The EV rules state: “If the application cannot obtain a response using one service, then it should try all available alternative services.” This precludes the lazy behavior described by Marlinspike.)

Once all of these requirements have been met and the fields in the certificate match those expected by the application, then it may proceed.

Implementation considerations

Adopting EV SSL is not simply a matter of buying and using an EV SSL certificate. Client software has to know to look for an EV SSL certificate and to follow the rules for implementing EV SSL authentication .
Fortunately, it’s not difficult programming, but it needs to be done potentially with in-house as well as with 3rd party client software code. But the work is the same in all places. If you are well-organized about your certificates then it will be straightforward work. And many products, including current Windows versions, support EV SSL out of the box.

SSLStrip attack could be used against server-server communications with the potential for mass-compromise of confidential data

Advances in attacks on network security over the last few years have led to many high-profile compromises of enterprise networks and breaches of data security. A new attack is threatening to expand the potential for attackers to compromise enterprise servers and the critical data on them. Solutions are available, and they will require action by company officers and administrators.

“SSLStrip” and related attacks1 were among the highlights of the July 2009 Black Hat show in Las Vegas2. Researcher Moxie Marlinspike3 combined a number of discrete problems, not all related to SSL, to create a credible scenario in which users attempting to work with secure web sites were instead sent to malicious fake sites. One of the core problems described by Marlinspike is the ability to embed null characters in the common name field of a certificate, designating a domain name. This can be used to trick software, web browsers for example, into recognizing a domain name different from the complete field name. The result is that software, and users, are misled as to the actual domain with which they are communicating.

SSLStrip has not lacked for press coverage, but the analysis has focused on the consumer or end user with a browser. The use of SSL in embedded applications, including server-server communications, presents an even more ominous scenario. This is because SSLStrip attack could be used against server-server communications with the potential for mass-compromise of confidential data.

This spoofing problem is solved by proper use of Extended Validation SSL certificates for authentication. Moving certificate-based enterprise authentication to EV SSL would therefore protect an organization against this form of attack.

SSL authentication is most famous for providing secure web access to sites with sensitive information, such as banks, but it has many applications. It is commonly used, for example, as a means for parties in a machine-to-machine, typically serverserver conversation to verify each other’s identity; see Figure A for an illustration.

The recent revelation of a new attack against SSL threatens these server-server communications. An attacker who gains access to the network could use the attack to spoof the identity of a critical server and thereby gain unauthorized access to critical data.

Since EV SSL Certificates contain only authenticated organization information, businesses can employ EV SSL and require the organization information to match the expected values before allowing access to mission critical applications. In this scenario the intruder using the new attacks will fail to gain access because it will lack the presence of the EV certificate, the correct organization information, or both. 



It is possible to trick the client into seeing the name it expects, when the actual domain name in the certificate is that of a malicious site

The main weakness with conventional SSL certificates is that there are no standards for their issuance, nor any rules for what the fields in them are supposed to mean and which are required for authentication.One implication is that client applications, called relying parties, cannot have confidence that the organization listed as the owner of the certificate is in fact that owner. This follows all the way up the chain until the relying party reaches a trusted root.

In fact, the least expensive SSL Certificate, domain-authenticated certificates, don’t even authenticate an organization, merely an internet domain. Users can tell precious little from them about those with whom they are doing business.

Marlinspike’s SSLStrip attack demonstrated the combination of several attack techniques to exploit the above weaknesses and fool users / client applications into thinking they were using a trusted site / server, when in fact they were using a fake version of that site / server. He combined a number of techniques, including “man-in-the-middle,” fake leaf node certificates and the null character attack. 


Null characters in a domain name

The key threat Marlinspike discloses is the use of null (zero value, often designated ‘\0’) characters embedded in a domain name.

Online purchase of inexpensive “domain-validated” SSL Certificate is so automated that it’s often possible to buy one with an embedded null character. For example - \0thoughtcrime.org. In the attack, the domain name of the certificate is combined to the right of the domain name to be spoofed, for example, “www.verisign.com\0thoughtcrime.org”. (Thoughtcrime.org is a domain owned by Marlinspike and used by him in his examples.)

Most software treats the null character as a string terminator. So when SSL client software reads the certificate domain name in the example it will stop at the null and treat the certificate as valid for www.verisign.com as issued by the certificate authority.

Null-stripping

Two SSL implementations, the Opera and Safari browsers, defeat this specific attack by stripping null characters from the Common Name. Thus, in the example above, the comparison will be to www.verisign.com.thoughtcrime.org and it will fail. But Marlinspike claims that some certificate authorities can be tricked with the same vulnerability in a way that makes null-stripping itself a vulnerability. In his example, he buys a certificate for sitekey.ba\0nkofamerica.com. Presumably he owns nkofamerica.com. When this name is presented to Opera or Safari it will display his attack site as sitekey.bankofamerica.com, the login page for that bank.

Man-in-the-middle

If you’re on the same local network as the server you are compromising, Marlinspike’s techniques make it very possible to perform the man-in-the-middle attack; see Figure B for an illustration. A number of popular techniques exist for this: A rogue wireless access point is one, or DNS or AARP cache poisoning.If you’re not on the same network then you need to get there, which you can do most likely by installing malware on a relatively less-secured system on the same network. The attacks which make this possible are legion.

Damage potential in server-server environments

The damage potential of this attack in a server-server communication scenario, such as database servers synchronizing across a WAN, is substantial.

Such servers commonly use SSL to authenticate each other. A malicious user on the network could spoof that authentication using the techniques described above. One that authenticated as a database mirror could capture the entire database including, if it’s stored on the server, privileged information and confidential customer data.



Tuesday, 26 July 2011

Using Wildcard Certificates with the Citrix Access Gateway

Recently, I had the opportunity to install a wildcard certificate on a Citrix Access Gateway. For this install, there were two Access Gateway appliances in a DMZ and the license server, housing the Access Gateway licenses, was on the internal network. My initial research didn't turn up much, but I did find the following items within the Access Gateway Administrators Guide: 



The following are taken directly from the Access Gateway Administrator’s Guide:

 1. Using Wildcard Certificates

The Access Gateway supports validation of wildcard certificates for Secure Access Clients. The wildcard certificate has an asterisk (*) in the certificate name. Wildcard Certificates can be formatted in one of two ways, such as *.mycompany.com or www*.mycompany.com. When a wildcard certificate is used, clients can choose different Web addresses, such as http://www1.mycompany.com or http://www2.mycompany.com. The use of a wildcard certificate allows several Web sites to be covered by a single certificate.

2. Important The FQDN must match what is on the digital certificate and the license for the Access Gateway.

So, it appears to be supported, and perhaps even doable.

Then I came across this Citrix Knowledge Center article. The section of the article of most concern to me is shown below:




"Some of the problems that may occur when dealing with Access Gateway and certificates are as follows: Verification Failure error during upload of certificate.

 This will happen if you try to upload a certificate without a private key. A common situation is where a company has multiple Access Gateways and uploading the same cert to each gateway.

 The resolution in this case is to generate a new CSR and have a new certificate issued with the private key."

So, maybe it won't work since I want to use the same wildcard certificate on each Access Gateway. 

Well, I proceded to convert and install the Wildcard SSL Certificate on each Access Gateway. I set the External FQDNs on each CAG as cag1.domain.com and cag2.domain.com respectively. Upon the next reboot, I got the Verification Failure" error on each device which, in this case, caused them to reboot themselves after a few minutes. The exact error displayed on the CAG console: 




 I followed the advice given, ie, reset the server certificate and reboot the CAG. 



After the reboot, I uploaded the wildcard certificate to each CAG once again, but this time, I did not specify an External FQDN on the CAGs and rebooted. This time, the CAGs stayed up and clients could successfully use the Secure Access Client for HTTPS VPN access and the Web Interface for connecting to specific published applications. 

To recap, to use the same wildcard SSL Certificate on each CAG, I uploaded the certificate to each CAG and left the External FQDN option blank. With this configuration, connectivity to internal resources can be achieved through the CAG using the Secure Access Client or the Web Interface. 

What I'd like to know is if any of you have used wildcard certificates on your CAGs, and if so, what do your configurations look like?





GlobalSign’s Lila Kee Recognized by CRN Magazine

Filed Under: 
(The Hosting News) – GlobalSign,  one of the longest established Certification Authorities (CA) and specialists in online security, today announced that Lila Kee, Chief Product Officer and Vice President of US Business Development, has been recognized as a Power 100 Woman of the Channel by CRN Magazine. The “Who’s Who” list recognizes female executives for their accomplishments over the past year, based on their achievements and the amount of influence they wield over the technology channel.  This year’s Women of the Channel were chosen by the editors of CRN Magazine from a field of vendor channel organizations, distributors and solution providers.


As Chief Product Officer and Vice President of US Business Development, Lila is constantly looking for ways to optimize GlobalSign’s security offerings, 
forging strategic partnerships with other industry leaders to bring the most cutting edge security solutions to the channel.  Over the past year, Lila led the Product Development strategy and implementation of GlobalSign’s channel-ready client certificates as a service offering.  GlobalSign resellers and partners can now extend publically trusted digital credentials required for securing code, encrypting email, digitally signing documents and utilizing the online authentication capabilities of browsers and VPN to individuals and entities.
Lila introduced three main product types: PersonalSign, DocumentSign, and Code Signing certificates through the GlobalSign Certificate Center (GCC) partner portal, equipping resellers with an easy method to register, provision, and manage digital IDs ordered on behalf of their customers. But it was Lila’s vision for making digital signature security available to electronic document workflow service providers that has established her as a true leader in her field.  Lila was instrumental in creating and delivering Adobe Certified Document Services, (CDS) for service providers to host on behalf of Enterprise customers as a value added service to document work-flow and management activities already provided. Adding a secure signature to high stake documents associated with healthcare, financial transactions, and government services was a natural extension to these service providers.
“This year’s Power 100 Women of the Channel list honors the most successful and influential women in the IT channel – a traditionally male-centric industry.  The Power 100 list is an elite subset of our annual Women of the Channel list, which recognizes the 100 most influential women of the channel based on their overall achievements, and their influence in the technology industry,” said Kelley Damore, VP, Editorial Director, Everything Channel.“We are so proud and excited for Lila to receive this honor”, said Motoo Noda, Chief Executive Officer, GMO GlobalSign Inc.  “Lila is not only a wealth of knowledge and leading mind in the industry, but also an amazing person to work with.  Her passion for her work is infectious.  She is a great role model and someone we can all aspire to”.
The Power 100 Women of the Channel will be listed on CRN.com.  The overall Women of the Channel list will appear in the July 2011 issue of CRN Magazine.

About Everything Channel
Everything Channel is the premier provider of IT channel-focused events, media, research, consulting, and sales and marketing services. With over 30 years of experience and engagement, Everything Channel has the unmatched channel expertise to execute integrated solutions for technology executives managing partner recruitment, enablement and go-to-market strategy in order to accelerate technology sales. Everything Channel is aUBM company. To learn more about Everything Channel, visit us athttp://www.everythingchannel.com. Follow us on Twitter at http://twitter.com/everythingchnl.

About UBM plc
UBM plc is a leading global business media company. We inform markets and bring the world’s buyers and sellers together at events, online, in print and provide them with the information they need to do business successfully. We focus on serving professional commercial communities, from doctors to game developers, from journalists to jewellery traders, from farmers to pharmacists around the world. Our 6,000 staff in more than 30 countries are organised into specialist teams that serve these communities, helping them to do business and their markets to work effectively and efficiently.For more information, go to www.ubm.com

About GMO GlobalSign
Established in 1996 and as a WebTrust accredited public SSL Certificate authority, GlobalSign offers publicly trusted SSL Certificates, EV SSL, Managed SSL Services, S/MIME email security and Code Signing for use on all platforms including mobile devices. Its Trusted Root solution uses the widely embedded GlobalSign Root CA certificates to provide immediate PKI trust for Microsoft Certificate Services and internal PKI, eliminating the costs of using untrusted Root Certificates. Its partnership with Adobe to provide Certified Document Services (CDS) enables secure digitally signed PDF documents, certified transcripts and e-invoices.  These core Digital Certificate solutions allow its thousands of authenticated customers to conduct secure online transactions, data transfer, distribution of tamper-proof code, and protection of online identities for secure email and access control.  The company has a history of innovation within the online security industry and has offices in the US, UK, Belgium, Japan, and China.

About GMO Internet Group
GMO Internet Group is a leading force in the Internet industry offering one of the most comprehensive ranges of Internet services worldwide. The group is the top provider of domain registration, web hosting, ecommerce, and payment processing solutions in Japan and operates a host of other Internet 
services including global online security services, search engine marketing and online securities trading. At the center of the group is GMO Internet, Inc. (TSE: 9449) headquartered in Tokyo, Japan.  Please visit www.gmo.jp/en for further details.

Trustwave

Republished By:- SSL NEWS




Protect Your Entire Site With The Same SSL Certificate


The Thawte Wildcard SSL Certificate allows you to secure unlimited subdomains of your main domain with a single Certificate. For example, if you have the domain abc.com, any number of subdomains will be protected by this certificate: mail.abc.com, store.abc.com, etc.. You will not have to buy separate Certificates for each new subdomain as is the case with standard certificates. This solution is ideal if you use SSL for multiple subdomains – only one certificate to install, and in many cases it is more cost-effective. Please note that all subdomains must be on the same Server.

Thawte Wildcard SSL Certificates may use an IP address to all secondary domain names. The same certificate can be used to secure all subdomains associated with a domain name, sharing one IP for all subsequent years. You can configure name based virtual hosts instead of machines.

Reasons for Choosing the Thawte Wildcard SSL Certificate:

• Encryption strength from 40 to 256 bits, according to the ability of browsers clients. 
• Issue in 2 business days, depending on the fulfillment of the requirements by the applicant.
• The ubiquity is the highest available in the browser market.
• High standards of validation, through the intervention of a trusted third party such as Thawte, which guarantees the authenticity of your company and website ownership for Certification. 
• Rigorous Verification and authentication procedures integrated (domain name and identity certificate validation). The prestige of Certificate Authority (CA) authorization. 
• Protocol Secure Socket Layer (SSL), maintaining privacy of messages exchanged between the web Server and its users. 
• Recertification without limit during the lifetime of the Certificate.
• High-strength encryption technology and high reliability of the site signature to protect your transactions.

Read more:-http://www.hostreview.com/news/110726-protect-your-entire-site-with-the-same-ssl-certificate#ixzz1TCIg1zf7