The latest update to the SSL order system means that RapidSSL and Geotrust certificates now automatically secure the WWW and non-WWW domain in a single certificate.

Loading mentions Retweet

The True BusinessID with EV promotion is due to end on 31st January 2010.

Loading mentions Retweet

The True BusinessID with EV $174.00 Year promotion has been extended to 31st January 2010.

Loading mentions Retweet

• PROMOTION EXTENDED TO 31st January 2010!
• Buy now from $174.00 a year[Offer Ends 31st December 2009!]
• Find more Geotrust Products
• Find more SSL Certificates
• Blog Tags: SSL : Geotrust : EV

Boost online transactions with the green address bar

Maximize security and online sales potential using GeoTrust True BusinessID with EV enabling up to 256-bit encryption on web browsers and mobile phones. With Extended Validation, visitors using high-security browsers see the address bar turn green when they visit your site. Extended Validation SSL Certificates provide a convenient and visible sign that you have a highly authenticated, trustworthy site and that your customers’ information is secure.

Buy now from $174.00 a year[Offer Ends 31st December 2009! 31st January 2010]

Increase customer confidence and transactions

Before consumers enter credit card or sensitive personal information online they want to confirm that they are on the intended site and that their information is protected. In addition to the green bar, high security browsers display the authenticated organization name on the Extended Validation SSL certificate and the CA that issued it. These features are immediately visible and give customers the confidence to complete their transactions.

True BusinessID with EV Features and Benefits

• Extended Validation with green address bar technology
• Full organization validation
• Up to 256-bit SSL encryption
• Dynamic Geotrust True Site Seal with company name and dynamic time stamp
• Recognised by over 99% of all browsers and mobile devices
• $150,000 warranty
• Multi year discounts
• Free self-service reissues
• Free technical support direct from Geotrust
• 7 Day refund policy

Buy now from $174.00 a year[Offer Ends 31st December 2009! 31st January 2010]

Secure online transactions with up to 256-bit encryption

GeoTrust helps you protect sensitive information during transmission when your customers, business partners, and employees connect with you online. True BusinessID with EV certificates enable 40-bit to 256-bit encryption, depending on the client browser capability and the cipher suite installed on your web server.

Let customers know you take security seriously

Every True BusinessID with EV certificate includes a dynamic GeoTrust True Site Seal with your company name and a date/time stamp. When users of older browsers and mobile browsers who cannot see the green address bar, the dynamic True Site Seal helps visitors identify your site as genuine, authentic, and validated by an independent third party.

Buy now from $174.00 a year[Offer Ends 31st December 2009! 31st January 2010]

Loading mentions Retweet

There has been some recent coverage about a security flaw in EV SSL certificates. I think it is worth pointing out the facts (as I see them) of this "flaw". 
 
Firstly there is no security flaw in Extended Validation SSL Certificates. The certificates still function correctly.
 
This flaw is actually a "Man in the middle" attack. It is a fairly common type of attack which has been known for some time. However to be able to attempt the attack there are a number of requirements the attacker needs to fulfil. They must have an existing certificate (this can be a simple domain validated certificate). They must also be able to poison the users DNS records. 
 
The attack is supposed to work by the main domain presenting the EV enabled green address bar for the main site and then the attacker loading iframe content within the website which is secured by a non EV certificate. The iframe content would be controlled by the attacker but the green address bar would still be shown. 
 
To complete the attack the attacker needs to do a number of steps: 
 
The attacker must find a website which utilises an iframe or some form of widget included from a different URL. For example the website https://www.servertastic.com could have an iframe login page loaded from www.mylogin.com (it doesn't this is just an example!)

The attacker would poison the DNS records to point www.mylogin.com to their own webserver. Doing so they could then collect your login data and other information they require. 
 
For this to work the attacker needs to secure the content loaded in the iframe with an SSL certificate so the browser still shows the green address bar from the main frame (www.servertastic.com). This is where I believe the attack does not work. 
 
The attacker would need to obtain a DV certificate for www.mylogin.com which they can not do because they do not own www.mylogin.com. Alternatively they could hijack www.mylogin.com and redirect it to www.attackersdomain.com which they do own and does have a certificate.

But they would still not be able to present a valid certificate for www.mylogin.com and therefore the browser will display a SSL warning error either "mismatched SSL domain", "mixed SSL and non-SSL content" or "redirect to a non-secure SSL warning". 
 
The attack could succeed if the attacker was able to inject code into the EV enabled website (which would make the flaw code based rather than SSL/browser based) or the end user had disabled all the SSL related warnings within their browser. Plus the user would have to be accessing the website via a poisoned DNS cache made possible by an open wi-fi hotspot for example. 
 
Therefore at the moment I do not believe this is a flaw in SSL or browsers. It is just hitting the headlines because it is in relation to EV certificates. If the end user just followed basic security practices such as not accessing unknown internet access points and not disabling the security settings in their browser then this attack should not be possible. 
 
I have not yet seen a demonstration of the "attack" and therefore I may not be understanding the process correctly. Therefore my views may 
be completely incorrect.

Loading mentions Retweet

Verisign is one of the leading suppliers of EV SSL certificates in the world. Recent statistics show that of the 13,000 EV certificates issued 10,000 were by VeriSign.

At ServerTastic we supply VeriSign SSL Certificates at a big discount. These are exactly the same as buying directly, you even complete the process with VeriSign. The only difference is you pay us less than you pay VeriSign.

Loading mentions Retweet