Is your inbox also filled with GDPR linked privacy updates? WHOIS, the tool with which you can look up names and contact details of owners of domain names, had to make a couple changes too in order to be inline with the GDPR law.
As a quick reminder, GDPR stands for General Data Protection Regulation. This regulation has gone in effect May 25th 2018. The main objective is to provide internet users with more information and control in regards to the data they share online.
The need for online trust, user privacy and credibility is rising. Companies find it important to safeguard the ‘data’ from their website visitors. And are taking measures such as using HTTPS. At the same time internet users are demanding more and more safety measures from the sites they visit.
While the Firefox 51 and Chrome 56 roll-out promised a safer place thanks to security warnings and a gentle push in the right direction to making websites having to rely on HTTPS with SSL certificates, it seems phishing sites rather quickly jumped the bandwagon and started implementing “secure and encrypted” phishing scams.
As reported by Netcraft on May 17th 2017 since the release on January 26th 2017 of the Chrome and Firefox “security warning enabled” browsers, the number of phishing websites using https has risen from 5% to 15% with even a small peak of 20%.
Phishing sites with HTTPS on the rise since January 26th 2017 – Graph (c) Netcraft.com
To make this an even bigger problem, the phishing sites rely on trusted valid Certificate Authorities like Let’s Encrypt and Comodo.
The popularity of Let’s Encrypt has also became it’s weakness: it’s very easy to get a valid, browser trusted certificate valid for a limited amount of time. While this is excellent for automated renewal services, it also makes an attractive magnet for institutions with less happy incentives such as phishing sites. As a reaction to Let’s Encrypt’s “free” certificate, Comodo has launched a so called Trial Certificate valid for 90 days. But, as always, “free” is usually to good to be true.
Top 10 phishiest certificate authorities, unfortunately Let’s Encrypt (Yellow) and Comodo (Blue) lead the way.
Let’s Encrypt does use the Safe Browsing API to check validity of an issued certificate, but this relies on a check before the content probably is added so basically, when the harm is done.
Since browser users are trained to check for a “valid” and “secure” URL at first glance it seems the website they visit is legit. This makes the problem even worse, since the scam sites are TLS enabled and appear to be valid.
While some Certificate Authorities claim it is not the task of a CA to check whether the certificate being issues is reliable content-wise, we can not deny this can become a problem. But, when you take a look at the bigger picture it was a problem that could be expected. We are talking about DV, Domain Validation certificates… they are cheap or free and the validation method is, to say the least, pretty limited (a simple mail or dns validation check usually is enough to get you going).
Our advice generally is not to rely on “the cheapest” SSL certificate option unless you know what you are doing, you know what you are going to use the SSL certificate for and you can live with the idea there might become a day the SSL certificate can (let’s hope not) become a problem.
If you got an organisation or corporation and wish to steer away from this there’s always the less cheap Domain Validation certificates or the more reliable Organisation Validation certificates. As from the perspective of an end user: always, and we do mean ALWAYS check the certificate and the domain name in the address bar. There is a thing called “Deceptive Domain Score” which usually explains well how unreliable the domain can be.
Get a valid – non free, sorry – SSL certificate at Kinamo. And seen the circumstances, we do favor GlobalSign!
As from February 20th 2017, Kinamo was granted the International Organization for Standardization (ISO) 9001:2015 certification. By meeting the extensive criteria of this standard, it is confirmed that the company’s Quality Management System complies with the standard requirements and aims for continuous improvement of products, services, and internal processes.
“Our goal is to provide high quality and professional hosting services to our customers” said Dominique Quintelier, CEO.
By obtaining the ISO 9001:2015 certification, we demonstrate our strong commitment to our customers and our continuous dedication to improve our organization’s efficiency and quality.
“Obtaining the certification required thorough preparation, review and both internal and external audits. Needless to say, I am very proud of my team for being able to reach this important milestone. It is a significant achievement for Kinamo, but also an important signal to our customers highlighting our constant aim for improvement of our services “.
The ISO 9001:2015 standard is one of the world’s most regarded quality management system standards to help businesses prove their ability to consistently provide products and services that meet and exceed customer requirements. For more information on the ISO9001:2015 standard, please visit the official ISO website.
Kinamo is a privately held company providing managed hosting services, integrated cloud services, domain name registrations and SSL certificates. Kinamo stays loyal to a vision where early adoption and experimenting with new technology is a key element in their service offering, keeping reliability and innovation in balance.
Would you like to know more about our services and how we can help you in your cloud hosting projects? Feel free to contact us!
From January 2017 on, new browser versions of Google Chrome (version 56) and Mozilla Firefox (version 51) will start giving a notification in the address bar to state your site is “not secure”.
It gets better, if your website is in the Google Search Console (for SEO tracking) you will also get a warning there as an administrator that certain URL’s will trigger a “Not secure” warning at your visitors, for example registration pages or password forgot pages.
The main reason why you would choose an SSL certificate for your website is the fact data is sent encrypted between visitor, website and back…
There are several types of SSL certificates: domain validation, organisation validation, extended validation (the famous green address bar), wildcard certificates… but which one is the best option for your site or application?
We admit it, finding the path through the dense SSL forest is not exactly easy. Therefore, consult Kinamo when trying to figure out which certificate fits your needs best. We will check with you which type is the most applicable to your needs.
Looking for the highest degree of visual “trust” and a green address bar with your company name embedded?
Then the Extended Validation (EV) certificate is best suited. EV certificates are not cheap, but the vetting process is strictly regulated, more complex and gives the visitor the best degree of insurance that the site is effectively linked to your company. EV certificates are commonly used by financial institutions, e-commerce platforms and other sites working with transactional data.
You’ve got a multitude of servers that must be secured by one single certificate, all with the same domain and subdomains? Then the Wildcard SSL certificate is your best choice: these certificates allow you to secure *.yourdomain.com, often against a much better price tag then picking individual certificates per subdomain..
The only disadvantages: they are only available as domain validation and only work for subdomains (so myserver.domain.com and my2ndserver.domain.com but not myserver.domain.com and myserver.2nddomain.com).
If you are really on the hunt for a bargain when securing your website, the cheapest option is a standard SSL certificate with domain validation.
These certificates are cheap, fast emitted (getting a certificate within 5 minutes is possible, if you follow the steps correctly) and they are often valid from 1 to 3 years.
Since 2016 you can also get “free” SSL/TLS certificates. These are offered by Let’s Encrypt, created by the non-profit Internet Security Research Group (ISRG).
There are advantages when using these certificates: the validity is limited to 90 days, so the certificate must be renewed every 90 days.
True, this can be done automatically, but requires specific server settings or other creative tweaking solutions. Let’s Encrypt certificates only work with domain validation, have no wildcard certificates and will require more work then a “simple” domain validation certificate.
