A short clip about the benefits of VeriSign SSL Certificates. VeriSign is available from ServerTastic at fantastic discounts. VeriSign certificates will also soon support the seal in search technology and website malware scans. More details to come!
There have been some significant changes to the SSL certificates supplied via ServerTastic. The most important point to make is that these changes do not affect any certificates already issued and installed.
SSL invite URLs
All invite URLs issued from today now have a validity of 365 days from purchase. This means you must use the invite URL to generate your SSL certificate within 365 days of placing your order. This also applies to bulk purchases. Failure to use the invite URL within 365 days will result in the invite expiring and becoming invalid. No refunds or replacements will be issued for expired invite URLs.
Geotrust certificates now use intermediate
Geotrust certificates such as the QuickSSL Premium used to be issued from a root CA certificate. This meant that when installing your certificate there was no additional "CA Bundle" to install. However Geotrust certificates issued from today will require an intermediate certificate. This intermediate certificate will be supplied with your certificate during purchase.
The installation process may have changed slightly depending on the certificate and server OS. Please make sure you read the fulfilment email completely before commencing installation.
2048Bit minimum key size
From 2013 all SSL certificates must have a minimum 2048bit key size. Therefore if you order a certificate that extends beyond this then the CSR must be generated with a key size of at least 2048bit. You can order certificates using a smaller key size that expire before this date however you will receive a warning during the order process.
Root migration
Many SSL certificates are being migrated to alternative root certificates with a minimum 2048bit key size. This does not affect any existing SSL certificates. However re-issues and new certificates will be issued from the new root. There is no action required by customers during the root migration.
PKCS7 downloads
Certificates can now be downloaded as PKCS7 (which will include the intermediate CA) from the SSL control panel.
Plesk/Apache bundle downloads
Certificates can now be downloaded as Plesk/Apache bundles from the SSL control panel.
RapidSSL Certificates
RapidSSL and RapidSSL wildcard certificates will continue to be issued from a root certificate until 23 September 2010.
Questions
If you have any questions/concerns about these changes please let us know in the comments or contact us.
Comments [0]
Please give it a try and let us know your comments. (You can also provide feedback via FaceBook, Twitter and LinkedIn).
Comments [0]
Today we saw some news stories about supposed vulnerabilities in VeriSign's enterprise SSL Certificate requesting process. These stories are based on a press release and outside press briefings from Comodo claiming to have found a "major security vulnerability" in VeriSign's SSL offering. These stories are incorrect. I have written this FAQ to clear up the misinformation that's floating around right now.
Q. Are there actually major security vulnerabilities in VeriSign SSL products that were revealed to the public by Comodo today?
A. No.
Q. What are the claimed vulnerabilities that Comodo announced?
A. Many large enterprises use a workflow whereby individuals within the organization can request SSL Certificates for the projects they're working on. Requests from these pages go to administrators, who then evaluate whether or not to issue the certificates. Comodo was able to locate and gain access to a certificate request page from a large financial institution.
By their nature these pages are publicly accessible, and access to these pages does not constitute a security flaw. There is no private information available from these pages, and certificate requests go through evaluation by the enterprise's designated certificate administration body before any certificate is issued. Comodo's claim that it detected a "major security vulnerability" that affects "its customers' Web sites, including a major financial institution" is categorically false.
Q: What is the effect on VeriSign's customers' web sites?
A: There is no effect on VeriSign's customers' web sites. Customers are not required to take any action and are at no risk.
Q. What is the severity of these alleged vulnerabilities?
A. VeriSign does not believe Comodo discovered or announced any serious vulnerability for our customers or users of our customers' web sites. Sensitive information and actions that carry meaningful consequences to the enterprise are all protected by a separate administrator control center which is not accessible without a special administrative certificate and not the subscriber web page Comodo found. We deliberately designed our workflow to meet the needs of all members of the enterprise without compromising security, and in this instance that design is doing its job.
Q. Was there any breach? Was any sensitive information or the security of any site, server, enterprise, or certificate compromised in any way?
A. No.
Q. Will VeriSign be making any changes to its products based on this announcement?
A. We currently have monitoring in place to detect possible brute force attacks against the subscriber web page. Based on the increased attention this release is likely to cause, we're implementing additional safeguards to redundantly ensure that these pages are not susceptible to exploit.
Q. Comodo's release stated that it followed the CCSS ethical security disclosure standards. Is that correct?
A. No. Section 7.2.iii and 9.1.i of these guidelines clearly state that the discloser and the security vendor will mutually negotiate the strategy and timeline for both disclosure and mitigation of the vulnerability. Comodo did not make VeriSign aware of the planned timing of this morning's press release or the content of that release. If Comodo had briefed us on the content of this release in advance, we could have corrected the egregious errors the release contained.
Had the content of this release constituted an actual major security flaw (which it did not), one week's notice may not have been enough time to fix any flaw, and Comodo did not consult with VeriSign to determine a safe disclosure schedule. With 93% of the Fortune 500 and 97 of the world's 100 largest SSL-using banks choosing SSL Certificates from VeriSign, it's fortunate that Comodo was incorrect in its assessment of security risks.
Q. Why was Comodo searching for vulnerabilities in VeriSign SSL products?
A. We don't know.
Q. Does VeriSign actively search competitive SSL products for security vulnerabilities?
A. No.
FAQ produced by Tim Callan of VeriSign about the recent "Security Exploit" Comodo claim to have discovered.
Comments [0]
PRICE DROP - Now from Just $149.00 a year!
Boost online transactions with the green address bar
Maximize security and online sales potential using GeoTrust True BusinessID with EV enabling up to 256-bit encryption on web browsers and mobile phones. With Extended Validation, visitors using high-security browsers see the address bar turn green when they visit your site. Extended Validation SSL Certificates provide a convenient and visible sign that you have a highly authenticated, trustworthy site and that your customers’ information is secure.
Increase customer confidence and transactions
Before consumers enter credit card or sensitive personal information online they want to confirm that they are on the intended site and that their information is protected. In addition to the green bar, high security browsers display the authenticated organization name on the Extended Validation SSL certificate and the CA that issued it. These features are immediately visible and give customers the confidence to complete their transactions.
True BusinessID with EV Features and Benefits
Secure online transactions with up to 256-bit encryption
GeoTrust helps you protect sensitive information during transmission when your customers, business partners, and employees connect with you online. True BusinessID with EV certificates enable 40-bit to 256-bit encryption, depending on the client browser capability and the cipher suite installed on your web server.
Let customers know you take security seriously
Every True BusinessID with EV certificate includes a dynamic GeoTrust True Site Seal with your company name and a date/time stamp. When users of older browsers and mobile browsers who cannot see the green address bar, the dynamic True Site Seal helps visitors identify your site as genuine, authentic, and validated by an independent third party.
Comments [0]
Last month the approver email address options for domain validated SSL certificates were restricted. This was due to a number of security problems which arose. (Someone was able to register the ssladmin@ account at a number of webmail accounts).
This prompted a review of the email addresses available to select for domain approval. This affects RapidSSL, QuickSSL Premium and SSL123 products.
The following email addresses can be used for domain approval:
You must have access to one of these email accounts on the SSL domain to be able to receive the SSL certificate.
Comments [0]
Two exciting things have happened today. The Queen drove past the office and Symantec announced it's purchase of VeriSign Security. I am guessing you are interested in what the Symantec/VeriSign deal means to ServerTastic and the SSL market place.
So far the info I have is that it is business as usual. The certificates will still be issued as normal. The only real nugget of information is from theSymantec press release which states
Following the close of the transaction, Symantec plans to incorporate the VeriSign check mark into a new Symantec logo to convey to users that it is safe to communicate, transact commerce and exchange information online.
However the purchase also includes the rights to the VeriSign check mark. As this is so universally recognised I would imagine/hope that this remains in some form in any redesign.
Symantec have also launched a VeriSign themed website. The yellow circle with tick indicates what could be to come but that is my pure speculation.
It is an interesting development in the internet security webspace. VeriSign are left with the highly profitable domain registry for .net and .com while Symantec are moving into providing the whole suite of validation and security services.
So to clarify at present it is business as usual. You can still purchase VeriSign, Geotrust, RapidSSL and thawte certificates from ServerTastic.
Comments [0]
Symantec buying VeriSign's Web-security armBy JORDAN ROBERTSON (AP) – 1 hour ago
SAN FRANCISCO — Symantec Corp.'s decision to pay $1.28 billion to buy a division of VeriSign Inc. that sells security technology to websites highlights how quickly the companies are moving in opposite directions.
Symantec, best known for its antivirus software for personal computers, wants to secure more things.
With the VeriSign deal, announced Wednesday, Symantec will have spent nearly $3 billion in two years acquiring technologies that make it a bigger player in other parts of the security market, such as protecting data on mobile phones and delivering software over the Internet.
Meanwhile, VeriSign, whose brand is ubiquitous on the Web for protecting online transactions, wants to secure fewer things.
It wants to focus instead on a lesser-known but more robust part of its business: managing traffic to websites with addresses ending in ".com" and ".net," and collecting fees for registering those domain names.
VeriSign has been purging divisions for the past three years, after realizing it was spread too thin following a buying binge designed to insulate it from the kinds of problems it had after the dot-com collapse a decade ago.
Prior to Wednesday's deal with Symantec, VeriSign had sold more than a dozen businesses since 2007 for a total of nearly $1 billion. Some were curious choices for VeriSign to have in the first place, such as a division that did billing services for telecommunications companies and another that sold ring tones and insurance for mobile phones.
What Symantec gets out of the VeriSign deal is one of the Web's best-known brand names for security.
VeriSign's logo — a check mark and the tag "VeriSign Secured" — is ubiquitous on websites that have bought its security technology. The VeriSign division that Symantec is buying sells "certificates" to websites that want protection for their customers' data. The Secure Sockets Layer, or SSL, certificates allow data to be encrypted between a user's browser and a website's servers. A padlock icon appears on a user's browser when that technology is being used.
The certificate business has long been a cornerstone for VeriSign, but has come under pressure in recent years.
In part, that's because cheap SSL certificates sold by other companies are easy to come by. The competition has forced VeriSign to sell more of its cheaper SSL certificates, too, even though their security measures are weaker.
Revenue in that division rose just 3 percent last year to $410 million, while revenue in VeriSign's domain-name division jumped 12 percent to $616 million.
Still, at the end of last year, more than 1 million sites were using VeriSign's SSL certificates, making the business an attractive target for a company such as Symantec looking to extend its brand.
The deal is expected to close in the September quarter. Symantec said it expects the transaction to reduce its adjusted earnings by 9 cents per share for the current fiscal year. It won't add to adjusted profit until the September quarter of next year.
The business VeriSign is left with is a lucrative one, but whose weakness following the dot-com collapse was a key reason VeriSign went on a tear with its acquisitions.
VeriSign is critical in steering Internet traffic to ".com" and ".net" Web sites. Its directories help Internet computers locate websites and know where to send e-mail.
The company makes its money by collecting a fee every time someone registers or renews a domain name ending in ".com" or ".net." Although Web site owners buy names through third parties, VeriSign gets fees as operator of the ".com" and ".net" registries.
Those fees generally go up each year, and as of July 1 will be $7.34 per ".com" name and $4.65 per ".net" name. Those fees add up with some 85 million ".com" names and 13 million ".net" names registered — and they account for the bulk of revenue in the domain-name division.
Symantec shares were up 2 cents in extended trading. They had fallen 32 cents, or 2 percent, to close the regular trading session at $15.63. VeriSign shares rose 83 cents, or 3 percent, to $28.82 in extended trading, after falling 24 cents to close at $27.99.
Both companies are based in Mountain View, Calif.
Copyright © 2010 The Associated Press. All rights reserved.
Some surprising news was announced last night! At the moment this means nothing changes on ServerTastic but we will keep you updated.
Comments [0]
OK So I said this before back in March and then the feature got withdrawn suddenly due to some technical problems! Well it is back now and has been active for the last few days.
The latest update to the SSL order system means that RapidSSL and Geotrust certificates now automatically secure the WWW and non-WWW domain in a single certificate.
All these are available for amazing discounts on ServerTastic.
Comments [2]
When you purchase an SSL Certificate such as RapidSSL, QuickSSL Premium or SSL123 you have to complete an approver email process.
Comments [0]
Comments [0]