Seeing warnings about an expired SSL certificate?

If you’re seeing warnings in your web browser or mail program saying that an SSL certificate has expired (whether it’s for our tigertech.net site, for a site we host, or for millions of other sites completely unrelated to us, like dictionary.com), that’s happening because a “root” SSL certificate distributed as part of your computer operating system has expired.

This can happen if you’re using a computer or program that hasn’t been updated since 2016 (that’s when Microsoft, Apple and others started providing replacement certificates with their updates).

There are many pages online that talk about this in technical terms (here and here, for example), but the short answer to “how do I fix this” is to update your computer operating system if you can. That will fix everything.

If you can’t update your computer, you can use a recent version of the Mozilla Firefox web browser to avoid the problem when viewing websites. That works because Firefox includes its own updated root SSL certificates, instead of using the outdated ones that came with your computer and haven’t been updated.

If you’re using an old version of a mail program that shows an error, it may allow you to add an “exception” or check a box telling it to always trust the certificate anyway — it might look like this if you show the certificate details, for example:

If it doesn’t allow that, you can either disable SSL in the settings of that mail program (for example, by unchecking the “Use SSL” checkbox in older versions of Apple Mail), or you can use the Firefox web browser to read your mail using webmail. If you’re one of our customers, that’s at webmail.tigertech.net.

Read the rest of this entry »

Sites hosted with us aren’t affected by today’s “Let’s Encrypt” SSL security bug

We provide free Let’s Encrypt SSL certificates for all sites hosted with our company.

Recently, Let’s Encrypt found a problem with some certificates that could cause site visitors to see security warnings if the certificate wasn’t renewed before noon Pacific time today (March 4, 2020).

Our customers don’t need to worry, though. We’ve already renewed any affected certificates, so the problem will not affect any sites we host.

There’s a website at checkhost.unboundtest.com you can use to test your certificate if you want to be sure. As always, don’t hesitate to contact us if you have any questions.

Free SSL certificates added for all parked domain names

We’ve previously added free wildcard Let’s Encrypt SSL certificates for all our customers who use our web hosting service. Now we’ve added free certificates to all “parked” domain names, too!

If you have a parked domain name on our servers that’s set up to redirect to another site, you can now use https:// URL addresses for the parked domain name and the redirect will work securely, with no problems.

SSLv3 disabled on all servers

We’ve updated the SSL/TLS security settings on our servers to match current “best practices” for security, disabling the long-obsolete, insecure “SSLv3” in all cases.

Our customers shouldn’t notice any changes. We made this change on our own websites a long time ago with no reports of problems, and nearly all of the largest sites on the Internet have done the same. We’re just mentioning this so that people know to contact us in the unlikely event they do have any trouble.

That said, if you do have any trouble, it’s probably because you’re using a long-outdated, insecure web browser that you should update. You can check your browser by visiting www.howsmyssl.com. If you can’t update it, using a different browser on your computer will probably help.

Having trouble with Outlook 2011 for Mac and SSL?

A couple of customers have recently contacted us about problems with Outlook 2011 for Mac when it’s configured to make SSL connections.

Outlook 2011 for Mac has a bug: It tries to use the long-obsolete “SSLv2” protocol that is no longer supported on modern mail servers, including ours. If your network also uses a very common kind of firewall that prevents “client-initiated SSL/TLS session renegotiation”, SSL connections will simply fail.

The best solution to this is to upgrade to a modern version of Outlook. Outlook 2016 for Mac, for example, doesn’t have this problem.

Read the rest of this entry »

Small change to SSL ciphers (April 24, 2018)

We’ve made a small technical change to the way our servers handle SSL connections. The change shouldn’t affect anyone, but we’re describing it here just for the record.

The technical description of the change is that we’ve removed the DES-CBC3-SHA (aka TLS_RSA_WITH_3DES_EDE_CBC_SHA) cipher suite from the “Medium security, good compatibility: Disable SSLv3 but enable TLS 1.0” option in the SSL section of our control panel, because PCI scanning companies have started flagging the existence of that cipher suite as a “fail”. (We told you it was technical!)

This change may make “medium security” SSL connections show errors for some very old browsers running on Windows XP. (Most such browsers already failed anyway with “medium security”, and they can’t connect to most major sites on the Internet, so almost nobody uses them.) In the unlikely event that you do need a very old browser like that to connect to an SSL-enabled site, you can choose Low security, excellent compatibility: Enable SSLv3 and TLS 1.0 in our control panel to allow it.

Wildcard Let’s Encrypt certificates now available

Let’s Encrypt recently started offering wildcard SSL certificates that work with any subdomain, without forcing you to get a new SSL certificate every time you change the hostnames you use.

If we host your site’s DNS nameservers (which is true for almost all of our hosting customers), we can now automatically provide you with a wildcard certificate, for free. We’ve already updated every existing Let’s Encrypt certificate to be a wildcard wherever possible.

If you’re still paying GoDaddy $349.99 a year for a wildcard SSL certificate, or paying Network Solutions $579 a year for it, now might be a good time to switch to our service. 😉 (In the last week, we’ve provided several million dollars worth of wildcard certificates to our customers even at GoDaddy’s introductory prices. You’re welcome!)

We’re using Let’s Encrypt wildcard certificates ourselves, too

We’re now also using these certificates on everything related to our own services, too, including our website, blog, FTP servers, and mail servers.

Almost all customers shouldn’t notice any change, but if you use secure connections with old or unusual programs that don’t handle SSL connections properly, you might be asked to “accept” the new certificate.

Read the rest of this entry »

SSLv3 disabled on our webmail servers

We’ve updated the SSL/TLS security settings on our webmail servers to match current “best practices” for security, disabling “SSLv3”.

Our customers shouldn’t notice any changes. (We made this change on our main website some time ago with no reports of problems, and many of the largest sites on the Internet have done the same.) We’re just mentioning this so that people know to contact us in the unlikely event they do have any trouble.

That said, if you do have any trouble, it’s probably because you’re using an outdated, insecure web browser that you should update. You can check your browser by visiting www.howsmyssl.com. If you can’t update it, using a different browser on your computer will probably help.

SSL certificate errors October 13, 2016 (resolved)

We’re receiving reports that some people visiting some SSL sites (including our site) are seeing security errors saying a “certificate has been revoked”.

This is an Internet-wide problem caused by an issue with one of the main Internet “certificate issuers”, a company called GlobalSign, and isn’t specific to us or sites we host. It’s affected many large Internet sites, such as Wikipedia. (Internet news site “The Register” has a report here.)

GlobalSign says the problem will soon be fixed. In the meantime, if your browser allows you to “click past” the warning about a “revoked certificate”, it is safe to do so.

Update 3:13 PM Pacific time: The problem is slowly resolving itself as the bad certificate information expires from “caches” around the Internet, but we’ve temporarily replaced our SSL certificates with new ones to make it stop immediately. This problem should now be resolved.

Our mail servers now use stronger SSL/TLS settings

We’ve updated the SSL/TLS security settings on our mail servers to match current “best practices” for security.

Our customers shouldn’t notice any changes. We’re just mentioning this so that people know to contact us in the unlikely event they do have any trouble.

That said, if you do have any trouble, it’s probably because you’re using outdated, insecure mail software that you should update. If you can’t update it, but the changes prevent you from sending mail with the “SSL” option turned on in your program, you may need to turn off the “SSL” option for outgoing mail until you can update.

Read the rest of this entry »