Seeing warnings about an expired SSL certificate?

If you’re seeing warnings in your web browser or mail program saying that an SSL certificate has expired (whether it’s for our tigertech.net site, for a site we host, or for millions of other sites completely unrelated to us, like dictionary.com), that’s happening because a “root” SSL certificate distributed as part of your computer operating system has expired.

This can happen if you’re using a computer or program that hasn’t been updated for at least five years (that’s when Microsoft, Apple and others started providing replacement certificates with their updates).

There are many pages online that talk about this in technical terms (here and here, for example), but the short answer to “how do I fix this” is to update your computer operating system if you can. That will fix everything.

If you can’t update your computer, you can use a recent version of the Mozilla Firefox web browser to avoid the problem when viewing websites. That works because Firefox includes its own updated root SSL certificates, instead of using the outdated ones that came with your computer and haven’t been updated.

If you’re using an old version of a mail program that shows an error, it may allow you to add an “exception” or check a box telling it to always trust the certificate anyway — it might look like this if you show the certificate details, for example:

If it doesn’t allow that, you can either disable SSL in the settings of that mail program (for example, by unchecking the “Use SSL” checkbox in older versions of Apple Mail), or you can use the Firefox web browser to read your mail using webmail. If you’re one of our customers, that’s at webmail.tigertech.net.

Read the rest of this entry »

Messages getting marked as spam when you send from your own domain name using Gmail?

We recently heard from a couple of customers who set up Gmail to “Send mail as” a different email address at their custom domain name many years ago, and who are now having problems sending mail to people who use Outlook.com for their mail service (the messages were wrongly being flagged as spam at Outlook).

If this happens to you, it’s because the way Gmail used to set this up doesn’t interact well with modern email providers. The way they send these messages makes it look like a “spam forgery” to providers like Outlook.com that check for DKIM and SPF.

You can easily solve this by deleting the address in Gmail, then re-adding it. (If you’re one of our customers, the “Using Gmail to send messages” section of this page on our website shows the settings to use at Gmail.) Google will then set it up in a better way that works with modern email providers.

Read the rest of this entry »

Extortion scams that claim to have hacked your account

We’ve seen a few reports recently of customers receiving messages that begin something like this:

I’m going to cut to the chase. I am aware [redacted] is your pass word. More to the point, I know your secret and I’ve evidence of your secret. You don’t know me personally and no one paid me to examine you.

Or like this:

You may not know me and you are probably wondering why you are getting this e mail, right? I’m a hacker who cracked your email and devices a few months ago. Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.

The message then goes on to demand money (usually in the form of a Bitcoin ransom) in order to not reveal your “secret”.

These are a scam; you should ignore them. The mail is sent in bulk by spammers to millions of people, just like any other spam, and they know nothing about you beyond your email address and possibly a password they stole from another site. Our filters block most of these (we’re blocking more than a dozen per day per account, on average), but unfortunately no filter can block all spam messages, and the spammers are constantly changing them to get around the blocking.

You can find more information on sites like Sophos and Krebs on Security.

Read the rest of this entry »

Outlook error 0x800CCC13 and Windows 10

We’ve had reports of an error message like this in Outlook when using Windows 10:

error (0x800CCC13): Cannot connect to the network. Verify your network connection or modem.

If this happens to you, it’s because of a problem with Windows 10, not with Outlook or our servers. According to the Microsoft page about it, updating Windows 10 should fix it. If it doesn’t, they suggest using a “workaround” to repair corrupted files on your computer.

PHP 7.0.0 and 5.6.16

The PHP developers recently released PHP version 7.0.0, as well as an update to the 5.6 series, version 5.6.16. We’ve upgraded PHP on our servers as a result.

The official release of PHP 7 means we’ll start encouraging customers to use it (as long as they use modern scripts like current versions of WordPress). It’s almost twice as fast as old versions of PHP. Yes, really: Twice as fast. We’re using it ourselves on this blog.

If you’d like your WordPress or other PHP-based site to seem snappier, or be able to handle twice as many visitors per second, you can easily do so:

  1. Login to our My Account control panel
  2. Click PHP Settings
  3. Click PHP 7.0 series
  4. Click Save Settings

Then test your site to make sure it works properly. If it does: Great, you’ve just made your site much faster! If it doesn’t, it’s probably because you’re using older scripts that haven’t yet been updated, and you can simply set PHP back to an earlier version for now. We recommend that you always use the latest version that works properly with your scripts.

As always, if you have any trouble, don’t hesitate to contact us.

Disabling SSLv3 and TLS 1.0

If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.

Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.

Read the rest of this entry »

WordPress 3.0.2 update (and mod_security rule)

If you use WordPress blog software on your site, be sure to upgrade to WordPress 3.0.2 as soon as possible. The upgrade contains an important security fix for a vulnerability that allows any WordPress “author” to become an “administrator”.

Although all WordPress users should upgrade right away, we’ve added security rules to our servers to protect our Web hosting customers who haven’t yet upgraded. Other people may find the rules useful if they use mod_security on Apache Web servers. The rest of this post contains more technical details.

Read the rest of this entry »

Avoiding problems with missing images in WordPress

WordPress installations handle missing image files very inefficiently by default, running the entire WordPress script to build a custom “404 Page Not Found” page rather than simply letting Apache return an immediate default “404” response. Running the WordPress script when not necessary is a huge waste of processor time. For example, WordPress might be able to only process 8 requests per second for a missing image when WordPress generates a custom “404” page, but Apache can return process over 1,000 raw “404” responses per second. If your Web site contains references to missing files, this default WordPress behavior can be driving up your CPU usage unnecessarily. We’ve seen poorly-configured Web sites spend a significant portion of their CPU time processing missing images.

Read the rest of this entry »

Even better performance from WP Super Cache

In a previous post, we talked about how increasing the WP Super Cache “Expire time” from 1 hour to 48 hours can help the performance of WordPress blogs.

Here’s another tip that can help dramatically: Remove “bot”, “ia_archive”, “slurp”, “crawl”, “spider” and “Yandex” from the Rejected User Agents box in the WP Super Cache plugin settings. (In most cases, this will leave the box completely empty.)

Read the rest of this entry »

Protect your WordPress login

Update: This post is outdated. We now offer SSL certificates for free to all customers, and recommend that you make your entire WordPress blog use SSL (rather than just making the dashboard SSL using the FORCE_SSL_ADMIN trick described below).

Do you login to your WordPress blog securely? Are your username and password encrypted so that “hackers” can’t steal them and then break into your blog? (Probably not!)

By default, each WordPress blog is configured to send the login username and password as plain (unencrypted) text. If a hacker can see what you are sending during your login, they can easily steal your username and password. This can happen if you have a virus installed on your computer. It can also happen if your computer is virus-free but connects via WiFi. If your main computer uses a wireless connection, or if you or other users of your blog ever login with their laptops — blogging from a coffee shop, anyone? — remember that these connections can be insecure, and could be susceptible to revealing your password.

You can protect your blog by installing an “SSL certificate” and configuring WordPress to require secure logins. Your browser will then encrypt your username and password so that no one can intercept them.

Read the rest of this entry »