Our hosting customers can now get free SSL certificates to secure their site.
What’s an SSL certificate? It activates the “padlock” icon for your site in a Web browser, showing that the connection is encrypted for security. You should use an SSL certificate if your visitors type sensitive data such as usernames, passwords or credit card numbers, because it ensures that “hackers” can’t intercept that data.
SSL certificates used to cost a lot of money, but an organization called Let’s Encrypt is now providing them for free, trying to encourage the widespread use of encryption on the modern Internet.
We believe that encryption should be widely available, so we’ve changed our SSL certificate system to provide free Let’s Encrypt certificates to our hosting customers. You can get one now in our “My Account” control panel.
Read the rest of this entry »
We’ve made a small technical change to the way our servers handle SSL connections. The change shouldn’t affect anyone, but we’re describing it here just for the record. If you have an SSL site with us and see any unexpected behavior, don’t hesitate to let us know.
Read the rest of this entry »
Recently, PayPal has been sending notifications to merchants who use the “PayPal API”, discussing some changes they’re making. If you are one of our customers and you have received this e-mail from PayPal, you may be wondering if you need to do anything. The short answer is that you don’t; the change is being made entirely on the PayPal servers, and our service is fully compatible.
Read the rest of this entry »
If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.
Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.
Read the rest of this entry »
A couple of customers have asked if our servers are vulnerable to the FREAK attack SSL security bug.
The answer is no: we don’t use the weak “export grade ciphers suites” that are affected by the bug, so no site hosted on our servers is vulnerable. You can verify this with the FREAK attack server check tool.
Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.
The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.
In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.
Read the rest of this entry »
This post describes a significant change in the way Web browsers recognize certain kinds of SSL certificates. We’re making sure that all SSL certificates bought from us are compatible with this change, and most customers can ignore the rest of this post, which has technical details.
Read the rest of this entry »
If your site uses an SSL certificate from us, our servers now provide an important feature called perfect forward secrecy.
Read the rest of this entry »
Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.
Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.
Read the rest of this entry »
Some customers using very old e-mail programs (such as Microsoft Entourage and Netscape Mail) have complained that their programs have started showing a warning that the “Certificate Authority Is Expired” or “Unable to establish a secure connection”. These old e-mail programs have certificates for common “root certificate authorities” built into them, with expiration dates that have now passed. There is no way to update the root certificates which are built into these old programs, unfortunately, so these e-mail programs will always complain that the root certificates are expired and thus no longer valid. This is not a problem with our e-mail servers, but instead is a problem with the old e-mail programs — they were never expected to be used this long.
If this is happening to you, there are three possible actions.
Read the rest of this entry »