×

Send a request

and we will call back to you soon

*fields are required

News

12-05-17

Comodo CA unscheduled maintenance – May 12, 2017

Dear customers and partners!

Please note that Comodo CA is currently performing an unscheduled maintenance.

According to this today, May 12, 2017, you can face some errors in placing of new orders on SSL, delays in processing orders and issuing certificates.

If you have any further questions, please do not hesitate to contact us:

- by phone: +31 20 7640722

- e-mail: info@leaderssl.com

- live chat on our website.

We apologise for the inconvenience

Kind regards,

LeaderTelecom B.V. Team 

11-05-17

Phishing with Punycode: Beware!

Punycode is a method for converting a domain name into an alternate format using only ASCII characters. For example, the URL "пример-сайта.рф" will have the following appearance in Punycode: "xn ---- 8sbarojrwjdmo.xn-p1ai." Most likely, you have already encountered such URLs.

Domains in Unicode create a certain security problem, because Unicode characters are difficult to distinguish from traditional ASCII characters. For example, you can register a domain "xn--pple-43d.com", which will be the equivalent of "apple.com". At first glance, everything is fine, but here we use Cyrillic "a", not ASCII "a". This fact is based on attacks using IDN-omographs.

Modern browsers allow you to defend against attacks with IDN-omographs. For example, Google Chrome displays a URL in the Punycode format, if the domain name contains characters from several different languages. However, you can simply bypass this filter: you can register a domain in which only Cyrillic characters are used. As a result, identifying the site as fraudulent is quite difficult - you need to carefully check the URL and SSL certificate.

Fortunately, this bug has been fixed in the version of Chrome 58. Firefox users still remain vulnerable, as browser developers believe that domain registrars should deal with this problem. To protect yourself from cybercriminals in Firefox, just go to about: config and set network.IDN_show_punycode to true. As a result, Firefox will output IDN-domains in the Punycode format, which will help to immediately determine chameleon domains.

Protection against these fakes - the installation EV SSL-certificate

SSL certificates with domain verification do not allow you to get all the visual signals that cause users to trust the site. Attackers can easily obtain such certificates and install them on their IDN-domains created to steal valuable information from users. To reduce the risk, it is enough to switch to EV SSL-certificates.

EV SSL certificates allow you to display the name of the organization in the address bar of the browser, which cannot be done with any other SSL certificates. Imitations for sites of large banks, financial institutions, payment systems, etc. are very common. Protection from this is the installation of EV SSL from a trusted certificate authority. You can always buy the best EV SSL certificates at favorable prices in our shop. Caring for your customers is the first step towards creating a clean reputation in the network and, as a result, the rapid growth of sales!  

03-05-17

As of September 2017, CAA Verification will become mandatory for all certification authorities when issuing SSL / TLS-certificates

Current CA / B Forum approved regulations state that certifying authorities must ensure that requests for SSL certificates received either from domain owners themselves or from those who is in charge of managing this domain. Generally, domain name verification done by creating a DNS TXT record with a specific value or by loading code to a specific location of the site. This confirms the fact of domain ownership.

At the same time, hacking website allow attackers to pass through validation checks and get a trusted certificate for compromised domain from any certification authority.  This certificate could be used for man-in-the-middle attacks or for redirecting users to a phishing pages. CAA introduction allows coping these fraudulent activities.  

What is CAA?

CAA (Certification Authority Authorization) is a unique DNS record, which was accepted as a standard for the industry in 2013, however was optional since then. Due to this record, domain owners are able to specify the certification authorities that are permitted to issue SSL / TLS certificates for the specified domains.

The CAA record allows avoiding unauthorized SSL- certificates issuance, in error or with intentional purposes - for phishing, various attacks, etc.

The purpose of introducing a CAA entry is to restrict the list of certifying authorities that can issue certificates for a domain.

The structure of the CAA is as follows:

FQDN CAA flags property value

Example: search.com 86400 IN CAA 0 issue "comodo.com"

This entry states that for the domain search.com only the Comodo certification authority permitted to issue SSL-certificates.

To allow issuing only wildcard certificates for a domain, the following CAA record (with the issuewild property) is applied:

example.org. CAA 0 issuewild certificate_authority.com

The Ballot 187 proposal from the CA / B Forum sets mandatory CAA verification for all CAs

Recently, CA / B Forum adopted the Ballot 187, which makes CAA verification mandatory standard for all certification authorities. For the proposal voted 17 certifying authorities (94%) and 3 browser manufacturers (100%). The proposal will come into force on September 8. If the certifying center postpone accepting these rules, it will cause bad consequences such as sanctions applied against it by CA / B Forum.

In addition to the “issue” tag, an “iodef” tag will also become mandatory attribute, which would need to be used in the CAA entry by certification authorities. This tag allows specifying an email or URL for communication with the domain owner - this would help sending reports about all requests for certificates for this domain that will contradict with the CAA policy. The domain owner will be aware that someone tried to get a certificate for their domain without proper authorization and will have an opportunity to take appropriate protective measures.

An example of a CAA record with a specific iodef:

Example.org. CAA 0 iodef mailto: site@example.org

Example.org. CAA 0 iodef https://site.example.org/

Current issues with implementation of CAA

The mandatory CAA verification still have some undefined issues. First, there is no clear policy on how exactly CAA verification will work with CNAME records stored in CAA. If two certifying authorities are set as permitted issuers in the certificate, it becomes unclear who exactly controls its issuance.

Secondly, there is no software that would support CAA at the DNS and CA level. This will be a major blow for small certification authorities, since they may not have time to acquire proper tools by September.

Conclusion

Although CAA is relatively new to DNS, it could be easily implemented using a modern infrastructure. The lack of CAA support from third-party DNS providers can be a problem for certain organizations. However, there is still a lot of time until September, and therefore the certifying authorities and all the other involved parties will have time to adopt these new requirements.

13-04-17

Hackers used Let's Encrypt certificates for attacks targeted at large Brazilian bank

Fraudsters attacked bank users by finding vulnerabilities in the security system of one of the largest Brazilian banks. Hackers were using Let's Encrypt certificates to create phishing website clones. Just recently, researchers disclosed information in regards to approach which hackers used to find a breach in the protection of Brazilian bank.

Online scammers were able to transfer all of 36 bank domains to fake pages by using SSL certificates issued through Let's Encrypt certification authority. Bank customers were unaware of compromised security and continued to enter their data on phishing pages, not even suspecting that all their personal data transmitted to fraudsters.

The main series of attacks on the Brazilian bank were performed on October 22, 2016. Hackers gain access to all site operations by taking control of 36 domains, corporate mail and DNS.

According to a researcher from Kaspersky Lab, hackers acquired control of all bank domains. Furthermore, fraudsters were able to suspend corporate mail, and as a result, bank was unable to notify their customers about attacks.

The bank suffered from attacks is large: it has more than 5 million customers and $ 25 billion in assets. It has 500 branches in Brazil, United States, Grand Cayman and Argentina.

Investigation conducted by Kaspersky Lab discovered that the bank website was spreading malware to all visitors. Unaware site visitors were downloading zip-archive from the main page, which contained malicious Java file.

Attackers expected to use malicious software to intercept the operations of the victim bank and steal funds from accounts of users of banks in other countries.

The bank eventually returned control over the DNS infrastructure; however, malicious software remains on the visitors' computers.

The main issue concerning all users of the World Wide Web related to free SSL certificates. Fraudsters can easily receive them, and then create phishing web pages protected by an SSL certificate and aimed to steal valuable personal information. Due to this reason, it is very important to always turn to commercial certification authorities, which have well established SSL issuance practice and proven their reliability for a long time.

It is worth noting that Let's Encrypt certificates used for fraudulent activities did not contain the name of the organization. For this reason, all commercial sites are urged to switch to OV / EV SSL certificates, which include the name of the organization, and in regards to EV SSL, shows the green address bar in browsers. You can always buy OV and EV SSL certificates from leading certification authorities in our store. 

03-04-17

Beginning from March 1, 2018 issuance of three-year SSL-certificates will be ceased

As of 2018 a new requirement of the CA/B Forum will be applied: the maximum validity period of SSL-certificates will be limited to 24 months. CA/B Forum is an industry regulation body that creates and adopts rules related to the procedures of issuance and verification of SSL certificates.

The Ballot 193 proposal, originally published by Chris Bailey from the Entrust certification center, applies a new limit on the maximum period of validity of all trusted SSL certificates - 825 days. This would be a two years period with additional days provided for a renewal and replacing an expired certificate. This new amendment has been finally approved and will be applied beginning from March 1, 2018.

Amendment was approved by 24 certification authorities with 3 abstentions and 5 browser manufacturers with one abstention (Mozilla). The new requirement will be a mandatory for all types of SSL certificates and all certification authorities. The industry is currently considering to further reduce validity of SSL certificates to one year.

Currently, the maximum validity period for an SSL certificate is 3 years (in regards to SSL certificates 3 years means 39 months). Certification authorities can issue DV and OV SSL certificates for a period of three years until March 1, 2018. Since March 1, rules will change: the issuance of SSL-certificates will be possible only for 1 or 2 years.

This complies with a main guidelines of CA / B Forum: it worth noting that issuance of 4 and 5 years certificates was canceled since March 2015.

Why validity period of SSL-certificates is reducing?

SSL-certificate users are more comfortable with long-term certificates (many would be happy to purchase an SSL certificate which would be valid for a 10 years), as there is no need to spend a lot of time on reinstalling them, however SSL industry has a bit different point of view. For example:

  • It would be difficult to deploy modern security features / updates in a timely manner

Any proposal or change adopted by the CA / B Forum would be implemented after the validity period of all existing certificates has passed, i.e. only after 39 months.

In the future, the industry will continue to decrease the validity period of SSL certificates. Although these changes will be implemented slowly, all users should be prepared for regular updates (about once a year) of their certificates. 

Start a 14-day Free Trial

Try SSL certificate with a 14-day free trial and feel our great service It’s very easy to start - you don’t risk anything. If you will not like it, just dont pay after end of trial. No credit card required.

Are you ready to try?

Have any questions? Call us now +31 20 7640722
×

Did not find what you were looking for?

We have too much information about this topic, could you clarify your request?

Leave your contact details to get the FAQ by email

A link to download the PDF version of the FAQ has been successfully sent to your email

Error sending mail. Please try again later.

*fields are required
SSL