Small change to SSL ciphers

We’ve made a small technical change to the way our servers handle SSL connections. The change shouldn’t affect anyone, but we’re describing it here just for the record. If you have an SSL site with us and see any unexpected behavior, don’t hesitate to let us know.

Read the rest of this entry »

Our servers are compatible with 2015 and 2016 PayPal security upgrades

Recently, PayPal has been sending notifications to merchants who use the “PayPal API”, discussing some changes they’re making. If you are one of our customers and you have received this e-mail from PayPal, you may be wondering if you need to do anything. The short answer is that you don’t; the change is being made entirely on the PayPal servers, and our service is fully compatible.

Read the rest of this entry »

Disabling SSLv3 and TLS 1.0

If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.

Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.

Read the rest of this entry »

Our servers are not vulnerable to the “FREAK Attack” SSL security bug

A couple of customers have asked if our servers are vulnerable to the FREAK attack SSL security bug.

The answer is no: we don’t use the weak “export grade ciphers suites” that are affected by the bug, so no site hosted on our servers is vulnerable. You can verify this with the FREAK attack server check tool.

About the “POODLE” SSL security bug

Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.

The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.

In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.

Read the rest of this entry »

SSL certificates and SHA algorithms

This post describes a significant change in the way Web browsers recognize certain kinds of SSL certificates. We’re making sure that all SSL certificates bought from us are compatible with this change, and most customers can ignore the rest of this post, which has technical details.

Read the rest of this entry »

Our SSL servers support “perfect forward secrecy”

If your site uses an SSL certificate from us, our servers now provide an important feature called perfect forward secrecy.

Read the rest of this entry »

Our servers are not vulnerable to the “Heartbleed” SSL security bug

Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.

Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.

Read the rest of this entry »

Old e-mail programs with expired SSL certificates

Some customers using very old e-mail programs (such as Microsoft Entourage and Netscape Mail) have complained that their programs have started showing a warning that the “Certificate Authority Is Expired” or “Unable to establish a secure connection”. These old e-mail programs have certificates for common “root certificate authorities” built into them, with expiration dates that have now passed. There is no way to update the root certificates which are built into these old programs, unfortunately, so these e-mail programs will always complain that the root certificates are expired and thus no longer valid. This is not a problem with our e-mail servers, but instead is a problem with the old e-mail programs — they were never expected to be used this long.

If this is happening to you, there are three possible actions.

Read the rest of this entry »

TLS now supported with FTP

Our FTP servers now support TLS/SSL encryption of FTP passwords, adding more security to FTP.

Confusingly, there are a variety of different SSL/TLS encryption schemes for FTP offered by various FTP clients. The one we support is the most widespread, known as “explicit TLS encryption” of the FTP command channel. It’s defined in RFC 4217.

Encryption is supported by many popular FTP clients, including the FileZilla FTP client. (The quickest way to use it in FileZilla is to put ftpes:// in the QuickConnect “Host” box, then accept the “Unknown certificate”.)

Read the rest of this entry »