Our servers are not vulnerable to the “FREAK Attack” SSL security bug

A couple of customers have asked if our servers are vulnerable to the FREAK attack SSL security bug.

The answer is no: we don’t use the weak “export grade ciphers suites” that are affected by the bug, so no site hosted on our servers is vulnerable. You can verify this with the FREAK attack server check tool.

About the “POODLE” SSL security bug

Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.

The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.

In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.

Read the rest of this entry »

SSL certificates and SHA algorithms

This post describes a significant change in the way Web browsers recognize certain kinds of SSL certificates. We’re making sure that all SSL certificates bought from us are compatible with this change, and most customers can ignore the rest of this post, which has technical details.

Read the rest of this entry »

Our SSL servers support “perfect forward secrecy”

If your site uses an SSL certificate from us, our servers now provide an important feature called perfect forward secrecy.

Read the rest of this entry »

Our servers are not vulnerable to the “Heartbleed” SSL security bug

Yesterday, Internet security researchers announced discovery of the Heartbleed SSL security bug. This bug allows attackers to bypass SSL encryption on servers that use certain versions of software called “OpenSSL”.

Our servers are not, and never have been, vulnerable to this bug, because we’ve never used the affected versions of the OpenSSL software. Our customers are not affected by it in any way.

Read the rest of this entry »

Old e-mail programs with expired SSL certificates

Some customers using very old e-mail programs (such as Microsoft Entourage and Netscape Mail) have complained that their programs have started showing a warning that the “Certificate Authority Is Expired” or “Unable to establish a secure connection”. These old e-mail programs have certificates for common “root certificate authorities” built into them, with expiration dates that have now passed. There is no way to update the root certificates which are built into these old programs, unfortunately, so these e-mail programs will always complain that the root certificates are expired and thus no longer valid. This is not a problem with our e-mail servers, but instead is a problem with the old e-mail programs — they were never expected to be used this long.

If this is happening to you, there are three possible actions.

Read the rest of this entry »

TLS now supported with FTP

Our FTP servers now support TLS/SSL encryption of FTP passwords, adding more security to FTP.

Confusingly, there are a variety of different SSL/TLS encryption schemes for FTP offered by various FTP clients. The one we support is the most widespread, known as “explicit TLS encryption” of the FTP command channel. It’s defined in RFC 4217.

Encryption is supported by many popular FTP clients, including the FileZilla FTP client. (The quickest way to use it in FileZilla is to put ftpes://ftp.tigertech.net in the QuickConnect “Host” box, then accept the “Unknown certificate”.)

Read the rest of this entry »

Get an SSL certificate to guard against FireSheep

A recently published Firefox add-in named “Firesheep” can be used by “hackers” to easily hijack the connection of any nearby WiFi users visiting many popular Web sites such as Facebook, Twitter, or Hotmail. This vulnerability is a basic artifact of the way the Internet works. In order to prevent this problem, these sites will need to properly implement SSL (https) security.

Read the rest of this entry »

Wildcard SSL certificates now available

Back in May, we posted that we now offer basic SSL certificates for just $19.00 a year, allowing you to protect your Web site without going broke.

Today, we’ve added another option: you can optionally choose a “wildcard” AlphaSSL certificate instead for just $49.00 a year.

Read the rest of this entry »

Blocking improper SSL connections

Even if a Web site hosted with us doesn’t have an SSL certificate, our servers used to accept improper secure SSL connection attempts that start with “https://” instead of “http://” in the beginning of the URL (note the extra “s”). We’re changing that.

Read the rest of this entry »