Posted on Leave a comment

SSL / TSL certificates comparaison offer

SSL / TSL certificates to secure your online communications

Why do webmasters have to get an updated SSL certificate?

In a strategy to secure the web, Google is pushing webmasters to secure communications between their websites and their visitor’s devices. Thus, since July 2018, Google Chrome will flag publicly all websites that are not secured;

The good thing about Google Chrome is that it updates automatically. And since Google Chrome has the biggest share, with 58% of the world wide web browsing, we can assume that at least 58% of the visitors will face the message if the website is not updated.
This means that all webmasters should take care seriously the message to update their SSL certificates so they can show how safe are their websites to their customers.

SSL certificates are replaced by TSL certificates

At the same time, SSL certificates are being deprecated. The 3.0, last version of the SSL, updated in 1996, became way too easy to hack. Though webmasters and suppliers are still widely using the name and today’s certificates are in fact TSL certificates.
The latest version of the TSL is v1.2, developed in 2008. The Internet Engineering Task Force, IETF,  is currently, July 3rd, 2018, at its draft of the v1.3. The only browsers to support v1.3 are Google Chrome and Mozilla Firefox.

Where to find TSL / SSL certificates?

Now we know that webmasters need an SSL / TSL certificate, the question is to find the place to get it. Many different suppliers, different offers. We’ve been doing wild research on the SSL market. They are called Certificate authorities.

The process to find the best SSL certificate

We started to screen the biggest suppliers in the market. Why? There are a lot of Certificate authorities and we needed to focus on a limited quantity.

List of selected SSL Certificate authorities

Common features

We listed the common features of an SSL certificate, such as:

  • Issuance; the time to deliver the certificate. That can be really painful if your website is blocked by Google Chrome.
  • Warranty; All certificate authorities provide a warranty in case of a breach, as a pledge of confidence, to say that they believe in their certificate so much that they are ready to pay you if something bad happened.
    Nota bene; while surfing through the terms and conditions we discovered that all warranties are not as simple as described on the frontend of their website. To summarize, even if they show 1 million dollars, you might end up with only 10000 dollars. We’ll try to improve the research.
  • Encryption; all certificate authorities of our comparison offer the same encryption today,  Standard X.509 certificates, Symmetric 256-bit encryption RSA public-key SHA-2 algorithm (supports hash functions: 256, 384, 512), ECC public-key cryptography (supports hash functions: 256 and 384), 2048-bit public key encryption (3072-bit and 4096-bit available).
  • SAN; some certificate authorities offer the opportunity to extend the basic SSL certificate with one or many Subject Alternative Name to bonify their offer and help webmasters to manage their hosting in an easy way.
  • Green browser address bar / Extended Validation Certificates are not part of this comparison yet. This market research will come in an upcoming post.

SSL certificate comparison table

The result of the SSL certificate comparative

To summarize,

  • if the price is the most important; try Let’s encrypt
  • if you need an easy and affordable SSL certificate provider, try 911micro

Let us know if we are missing some points to consider ! You can comment below.
Thank you

Posted on Leave a comment

How do we get to know that a service platform has been #corrupted ?

How do we get to know that a service platform has been #corrupted ?

Over the years, #hackers, #spammers, #scammers and other #criminals are evolving for easy money, or maybe controlling someone. Reputation and quality of service is pushing service platforms to evolve as well with better technics and sometimes by being creative.

However, when you run a business or just for personal needs, you subscribe to a platform like #linkedin, #facebook, #yahoo, #bank services, #CRM, document #hosting or others. After years those platforms are succeeding or not. Most of them will survive few years, the time of a trend only.

This is what is threatening your #security. How ?

When a company has to cut on expenses, the platform’s security is not following updates, more and more security #breaches are letting criminals and robots accessing the system, even without alarming the administrators.

Once the criminals is in, he gets access to some data, like emails, maybe passwords and/or other user personal information. They can be used for #socialengineering as sending you your password threatening you to disclose your personal information. They can also use your email to spam you.

This is what happened with #dropbox. We used unique password and unique email address for every single platform we connect to. Example of email in our case; dropbox@#domain#.com. We just use catch-all to receive every single unique email created. And our Google email account is filtering quite well the spams ;-).

Means, we don’t share or don’t need to share and never share this email to anyone.

So how do we receive emails from spammers, hackers, scammers… from that email address then ?

Only Dropbox server is storing it.

What could happen then ?

We don’t see a lot of options here; either Dropbox is sharing / selling their customer’s email, either they got hacked. What do you think ?

One thing is sure; it would not be the first platform to leak their data, as we received the same kind of data from many other identified platforms.

https://security.911micro.com/cyber-security for more information on how 911micro can help you.

Posted on Leave a comment

Why should you integrate Cyber Security processes in your business?

Canadian Centre for Cyber-Security

How to protect your digital business and life ?

Imagine having someone accessing your #mailbox. He would access all your contacts, and your history. In many cases, you will use the same #password from one service to another, which will make it really easy for him to access your other services.

Another option he has would be just to ask a password change on the related platform. Having access to the email address, he would just delete the email right away and you wouldn’t even notice it

#Phishing is a simple way to get your credentials. The hacker is sending you a similar official email of one of your service provider, as your bank, or email hosting, saying something important and is forwarding you to a similar official website of that same provider. The process is easy. They just have to;

  1. Copy and paste the official website
  2. Reserving a similar domain name, with a stolen credit card
  3. Changing the behavior and database so you won’t know what is happening, but they will get your username / email address and password
  4. Copy and paste the official email
  5. Use a similar official email address, but with the new domain name he is now owning
  6. Change the email links to the new domain name

With a script, they just go through the official website at the same time and change the password on the spot or get the information they want. 

Let say you activated the double step verification / Multi-factor authentification / 2fa that is enabling a second random password request when you log in. That is one of the most important step to protect your accounts today. https://www.theverge.com/2020/8/15/21370140/musk-tesla-2fa-security-cars Elon Musk, can talk about it. But don’t forget your email POP and IMAP access. They are still using old protocoles and are still subject to access if the hacker has your password or by #bruteforce.

Your mailbox is today the major place to secure, with your phone number. This is where you receive, centralize all of your communications with different platforms. Just be aware, be careful, the hacker is a click away.

Today, cyber threats are common. More than 50% of companies have been hacked.

https://security.911micro.com/cyber-security for more information on how 911micro can help you.