Tag Archives: SSL

The New 39-Month SSL Certificate Maximum Validity

Changes in CA/B Forum Baseline Requirements

Twitter Card Style: 


The past few years within the SSL certificate industry have been busy with changes.  1024-bit RSA certificates are long gone, using public SSL certificates on servers with internal domain names is starting to disappear, and the SHA-1 hash algorithm is starting to see its final days.  So what is next?

Starting 1 April 2015, Certification Authorities (CAs) are not permitted to issue SSL certificates (issued from a public root) with a validity period greater than 39 months.  SSL certificates have limited validity periods so that the certificate’s holder identity information is re-authenticated more frequently. Plus it’s a best practice to limit the amount of time that any key is used, to allow less time to attack it.

In line with the latest Certification Authority/Browser Forum Baseline Requirements, CAs will stop issuing 4 and 5-year SSL certificates in the near future.  Symantec plans on eliminating these options in late February 2015 on all SSL management consoles.  Extended Validation (EV) SSL certificates still have a max validity period of 27 months but Organizational Validated (OV) and Domain Validated (DV) certificates (DV not offered by Symantec) will have this new 39-month lifespan.

So how will this affect those who install SSL certificates?  The average person installing certificates in a large enterprise will have to go through the enrollment process a little more often.  If the organization on that level and scale finds this detracts from employee productivity they may want to look at leveraging Symantec Certificate Intelligence Center Automation.  To someone in a small organization who only issues SSL certificates on a very infrequent basis, they may find themselves looking for SSL installation instructions a little more often.  To help you, Symantec has always offered a wealth of information online via our Knowledge Base (the preceding site will be migrating to this location in the near future) and offers amazing support by phone.

Hourglass 350x350.jpg

Please let us know what you think below in the comment section.

Gogo Inflight Internet is Intentionally Issuing Fake SSL Certificates

Twitter Card Style: 


It was recently disclosed that Gogo, a provider of Wi-Fi Internet services on commercial aircraft, has been issuing spoofed SSL certificates for Google sites that were viewed by customers of Gogo’s service. It appears that Gogo Inflight Internet was acting as an SSL Man-in-the-middle (MITM), a technique used within some enterprises to allow themselves to inspect and control all web traffic, even traffic to secure web sites.  To understand what this means, let me explain MITM in a bit more detail.

While not very common, there are enterprises that use SSL MITM technology to protect their employees and assets. For example, the enterprise can see when their employees visit sites that attempt to deliver malware to eventually block it. Some enterprises might want to ensure that their employees don’t visit inappropriate web sites using company equipment. The enterprise may also deploy a Data Loss Prevention (DLP) solution to guard against company secrets being divulged on public web sites. These uses are justified since the enterprise has an interest in securing its employees and their assets (laptops, desktops, corporate data, etc.)


Here’s how an SSL MITM works: a browser user tries to open an SSL connection to a web server. The connection attempt is intercepted by the SSL MITM, which opens its own SSL connection to the intended web server. When that web server returns its SSL certificate, the SSL MITM crafts a copy of the certificate using its own public-private key pair and signed by the SSL MITM’s private root certificate. It returns that copy of the certificate to the browser user, who sees a certificate containing the name of the intended web server. Essentially, two SSL connections are set up: one between the browser user and the SSL MITM, the other between the SSL MITM and the web server. The SSL MITM copies traffic back and forth between the parties so they are generally unaware of the SSL MITM. All SSL traffic is encrypted on the wire, but unencrypted in the SSL MITM. This allows the SSL MITM to see everything and even modify traffic in either direction.

It’s surprising to see a company use an SSL MITM with its customers. When used within an enterprise, the root certificate used by the SSL MITM can be installed and trusted in employee computers because the enterprise has complete control over those devices.  But this can’t be done with the enterprise’s customers, who control their own devices.  As a result, these customers will receive a warning when they visit a secure site intercepted by an SSL MITM. It’s clear from the screen shot in the articles related to this issue that the user’s browser warned them that the site’s certificate was signed by an untrusted issuer.

What’s not clear is if Gogo performed a man-in-the-middle interception only for YouTube, or only for Google web properties, or for all web properties secured by SSL. There’s no reason to expect that Gogo intercepted only YouTube traffic. If done for all SSL traffic, it’s likely that a Gogo customer visiting their bank online, for example, would be subject to the same SSL MITM. This would be worrisome, because Gogo would then be able to collect usernames and passwords used on all such sites. Gogo’s CTO said “Gogo takes our customer’s privacy very seriously”, but Gogo’s actions raise a red flag. They could possibly have access to customer data that has nothing to do with Gogo or its services, and Internet users in a post-Snowden era are less willing to trust third parties with their personal information.

Gogo has a legitimate interest in limiting or blocking video streaming, but the way they’ve done it is far overreaching. Perhaps they hoped that customers would avoid using YouTube when they saw a scary security warning. Sadly, an unintended side effect might be to train users to ignore and to click through those warnings, which is counterproductive to the industry’s push for better end-user practices. Ultimately this would devalue all legitimate SSL certificates, and weaken the Certificate Authority/Browser trust model that Certificate Authorities and browser vendors have built and strengthened over the past 15+ years.

We urge Gogo to reconsider their actions and deploy bandwidth limiting solutions that do not involve the use of spoofed SSL certificates.

SSL; More than Encryption

      No Comments on SSL; More than Encryption
Twitter Card Style: 


While doing an online search for “SSL Certificates” and one of the ads said “$4.99, Why Pay More?”  Without clicking on the ad I know what they are going to offer me; a simple domain validated (DV) SSL certificate.  This certificate will encrypt my site’s traffic at a basic level but this isn’t 1997; the business climate and threat landscape have changed and so have our requirements for security.  SSL is more than encryption.  We have to consider trust, security, service, certificate management & reliability.  While many Certification Authorities are cutting corners to compete with each other on price, Symantec is working around the clock to continually deliver best-in-class solutions.  At Symantec we believe in these core factors as does 91% of the fortune 500 and 94 of the top 100 financial institutions in the world.  Here’s why:

1. Increased End-Consumer Trust

  • Trust Seal — Trust seals suggest that websites are safe to interact with.  The Norton Secured Seal has been shown through independent research to be the most recognized trust seal on the Internet.  Offered only by Symantec, it is seen about 4 billion times per month on websites all around the world.  The seal ensures visitors that they are communicating with organizations that not only encrypt their traffic but also are legitimate organizations that have gone through Symantec’s strong authentication screening as well.
  • Visual Cue — The “Green Bar” also represent that a site is trustworthy.   With Symantec EV Certificates, browsers will change the color of the address bar to green, serving as a cue for safe interaction.  DV certificates won’t provide for a visual cue to website visitors


2. Stronger Business Authentication and Website Security

  • Authentication — With every Symantec certificate, Symantec performs strong authentication to ensure that a website visitor can trust who they are communicating with.  Security-minded organizations realize that encryption alone is not enough and require, as a matter of policy, that all certificates issued for their organization have strong authentication.  On the other hand, domain validated certificates, like those that Let’s Encrypt intends to offer, will only provide encryption of data.   Thus, they will not prevent a credit card number or password from going to an encrypted website that may be fraudulent.
  • Scanning and Alerts — Symantec products also secure customer websites with scanning for critical vulnerabilities and active malware.  Symantec proactively notifies customers about security risks within a customer’s unique environment and provides guidance to ensure that such issues are quickly and easily resolved. 


3. Simplified Certificate Management and Live Worldwide Support

  • Management Tools — Symantec enables customers to track and manage large volumes of certificates with a wide range of tools.  Organizations are often burdened with the complexity of managing a variety of SSL certificates that may include of self-signed, client certificates or SSL certificates that chain up to public roots.
  • Accessible Technical Support — Symantec provides 24/7/365 support worldwide to ensure that customers’ sites stay up and running and secure, with an optional premium support that include SLA’s on problem escalation and resolution.  This is a critical component for organizations that need to ensure that their website operations remain.  A free offering like Let’s Encrypt rarely comes with any form of live support.


4. Powerful Technical Capabilities and Advanced Options

  • Client Ubiquity — As the longest operating Certification Authority, Symantec’s roots are in more clients than any other Certification Authority.  Organizations that want to support Always on SSL and connectivity with the greatest number of users choose Symantec to secure their transactions.
  • Advanced Certificate Options — Symantec Secure Site Pro products include both RSA 2048 bit certificates and ECC 256 bit certificates which are optimal within Perfect Forward Secrecy.  These high security, high performance certificates are the future of SSL/TLS encryption and Symantec’s ECC roots are in more clients than any other Certification Authority.
  • Best in Class Revocation — Symantec provides revocation information to clients through both the Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs).  Both of these services are updated continually to communicate certificate revocation activity to clients worldwide.  The services are tuned to provide the fastest response times possible.   In the case of websites, OCSP response times can impact page load times and Symantec has invested in its infrastructure to provide OCSP responses in about 50 milliseconds for almost every major region in the world.  


5. Reliable Security and Business  Assurances

  • Warranties — Symantec offers the highest warranties of any Certification Authority.  These warranties can cover customers for losses of up to $1,750,000 from incorrect information contained on Symantec certificates.
  • Military-Grade Data Centers — Symantec’s roots and signing services are protected by the most stringent physical, network, and logical security and process controls.   The hardened facilities provide our customers with confidence that certificate issuance for their domains will not be compromised.  With ten years of continuous uptime, Symantec’s robust continuity practices are the best in the industry.
  • Contractual Commitments — Symantec customers have a contractual commitment from Symantec to maintain their products for the term of their contract.  Let’s Encrypt, as a non-profit, open-source Certification Authority, it will be difficult to offer such contractual guarantees, given the significant expenses associated with operating a publicly audited Certification Authority.
  • Focused investment – As the world’s largest security company, Symantec has both the resources and the motivation to ensure that the our SSL products are uncompromised.  Vulnerabilities like Heartbleed have clearly demonstrated that, despite the good intentions of OpenSSL, a non-profit organization with limited resources will be challenged to keep up with the rapidly-changing security threat landscape.


Modern Security for Modern Needs

Companies that know security understand they need to use modern-day security solutions in today’s environment and that SSL is more than just simple encryption.Please keep all of these factors in mind as you are building out your webserver security plans.For more information on Symantec SSL, please visit our website.

Poodle: ???????? SSL ??????????????

      No Comments on Poodle: ???????? SSL ??????????????
SSL 3.0 の新しい脆弱性により、安全なはずの接続から攻撃者がデータを盗み出す可能性があります。

SSL 3.0 の新しい脆弱性により、安全なはずの接続から攻撃者がデータを盗み出す可能性があります。

Poodle: Vulnerability in old version of SSL represents new threat

New vulnerability in SSL 3.0 can allow attackers to extract data from supposedly secure connections.

New vulnerability in SSL 3.0 can allow attackers to extract data from supposedly secure connec…

“Poodle” security hole has a nasty bite

      No Comments on “Poodle” security hole has a nasty bite

A security hole called Poodle could allow hackers to take over your banking and social media accounts. Yesterday, Google researchers announced the discovery of a security bug in version 3 of the Secure Sockets Layer protocol (SSLv3). This web technology is used to encrypt traffic between a browser and a web site, and can give […]

“Poodle” security hole has a nasty bite

      No Comments on “Poodle” security hole has a nasty bite

A security hole called Poodle could allow hackers to take over your banking and social media accounts. Yesterday, Google researchers announced the discovery of a security bug in version 3 of the Secure Sockets Layer protocol (SSLv3). This web technology is used to encrypt traffic between a browser and a web site, and can give […]

Schwachstelle in SSL 3.0: POODLE (bzw. POODLEbleed)

A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and de


Im Verschlüsselungsprotokoll Secure Sockets Layer (SSL) 3.0 (SSLv3) wurde eine Schwachstelle festgestellt, die zur Ausspähung von Daten ausgenutzt werden könnte, die zwischen Computern und Servern verschlüsselt übertragen werden sollten. Drei Sicherheitsforscher von Google haben diesen Fehler entdeckt und aufgezeigt, wie er durch einen sogenannten Poodle-Angriff (Padding Oracle On Downgraded Legacy Encryption) (CVE-2014-3566) ausgenutzt werden kann.

Hierbei muss betont werden, dass es sich nicht um einen Fehler der SSL-Zertifikate, ihrer privaten Schlüsseln oder ihrer Funktionsweise handelt, sondern des alten Protokolls SSLv3. SSL-Zertifikate sind nicht betroffen und Zertifikate auf Servern, die SSL 3.0 unterstützen, brauchen nicht ersetzt zu werden.

Diese Schwachstelle wird als weniger schwerwiegend angesehen als die Schwachstelle Heartbleed in OpenSSL, da der Angreifer eine privilegierte Rolle im Netzwerk haben muss, um sie ausnutzen zu können. Problematisch wird sie aber in öffentlichen WLAN-Hotspots. da sie Man-in-the-Middle-Angriffe begünstigt.



Obwohl SSL 3.0 bereits 1996 eingeführt wurde, wird es laut dem neuesten Bericht von Netcraft immer noch von 95 % der Webbrowser unterstützt. Viele TLS-Clients (Transport Layer Socket) schalten ihr Verschlüsselungsprotokoll auf SSL 3.0 herunter, wenn sie mit älteren Servern kommunizieren. Laut Google kann ein Angreifer, der Kontrolle über das Netzwerk zwischen Computer und Server hat, mit einem „Protocol Downgrade Dance“ in den Handshake-Prozess eingreifen, mit dem überprüft wird, welches Verschlüsselungsprotokoll der Server akzeptieren kann. Hierdurch werden die Computer gezwungen, das ältere Protokoll SSL 3.0 zum Schutz der zu übermittelnden Daten zu verwenden. Angreifer können die Schwachstelle dann ausnutzen, indem sie einen Man-in-the-Middle-Angriff ausführen und sichere HTTP-Cookies entschlüsseln, um Daten zu stehlen oder die Kontrolle über die Online-Konten des Opfers zu übernehmen. Obwohl die Webmaster bereits mit Hochdruck daran arbeiten, SSL 3.0 zu deaktivieren, und zu TLSv1 und höher wechseln, bleibt noch viel Arbeit zu tun. Wenn Heartbleed uns eines gelehrt hat, dann dass die größten Unternehmen schnell handeln, während viele kleinere Unternehmen hinterherhinken, wenn es um die Schließung kritischer Sicherheitslücken geht.

Was müssen Unternehmen tun?

Die Schwachstelle kann auf mehrere Arten beseitigt werden:

  1. Überprüfen Sie mit unserer kostenlosen SSL-Toolbox, ob Ihre Webserver gefährdet sind.
  2. Verwenden Sie Tools, die TLS_FALLBACK_SCSV unterstützen. Dieser Mechanismus verhindert, dass Angreifer Webbrowser zur Verwendung von SSL 3.0 zwingen können.
  3. Deaktivieren Sie SSL 3.0 vollständig oder deaktivieren Sie die Verschlüsselung im CBC-Modus von SSL 3.0.
  4. Eine cloudbasierte Firewall für Webanwendungen kann vor einer Schwachstelle dieser Art schützen. Weitere Information finden Sie auf unserer Website.
  5. Seien Sie misstrauisch: Betrüger könnten versuchen, Unsicherheit und mangelndes technisches Wissen mit Spam-Mails auszunutzen.

Mein Kollege Christoffer Olausson gibt einige Tipps dazu, wie sich dieses Problem bei Apache beheben lässt:

> SSLProtocol All -SSLv2 -SSLv3                   <- Entfernt SSLv2 und SSLv3

> apachectl configtest                                   <- Testet Ihre Konfiguration

> sudo service apache restart                      <- Startet den Server neu

Google gab bekannte, in den nächsten Monaten bei allen seinen Produkten die Unterstützung für SSL 3.0 zu entfernen. Auch Mozilla kündigte an, dass SSL 3.0 bei FireFox 34 deaktiviert wird, der im November veröffentlicht wird.

Was müssen Benutzer tun?


Endbenutzern, die auf Websites zugreifen, empfiehlt Symantec Folgendes:

  1. Stellen Sie sicher, dass SSL 3.0 bei Ihrem Browser deaktiviert ist (bei Internet Explorer beispielsweise unter „Internetoptionen > Erweiterte Einstellungen“).
  2. Vermeiden Sie Man-in-the-Middle-Angriffe, indem Sie kontrollieren, ob „HTTPS“ auf den von Ihnen besuchten Websites immer aktiviert ist.
  3. Beachten Sie alle Benachrichtigungen der Hersteller der von Ihnen verwendeten Softwareprodukte mit Empfehlungen zur Aktualisierung der jeweiligen Software oder der zugehörigen Kennwörter.
  4. Seien Sie wachsam und fallen Sie nicht auf mögliche Phishing-E-Mails herein, in denen Sie zur Aktualisierung Ihres Kennworts aufgefordert werden. Rufen Sie immer nur den offiziellen Domänennamen der Website auf, um nicht auf eine gefälschte Website zu gelangen.

Weitere Informationen

Symantec hat in seiner Online-Wissensdatenbank Artikel zu diesem Thema veröffentlicht:

Symantec Managed PKI for SSL


Symantec Trust Center/Trust Center Enterprise


Bleiben Sie in Verbindung

Bleiben Sie mit uns in Verbindung, um stets aktuell über Schwachstellen informiert zu sein. Folgen Sie uns auf Twitter und Facebook oder besuchen Sie unsere Technikforen zu Problemen mit der Verwaltung von SSL und Code-Signing-Zertifikaten.

Vulnérabilité SSL 3.0 – bug POODLE (ou POODLEbleed)

A bug has been found in the Secure Sockets Layer (SSL) 3.0 cryptography protocol (SSLv3) which could be exploited to intercept data that’s supposed to be encrypted between computers and servers. Three Google security researchers discovered the flaw and de


Chez Google, trois chercheurs en sécurité ont découvert une faille dans le protocole de cryptage Secure Sockets Layer (SSL) 3.0 (SSLv3), qui pourrait servir à intercepter des données a priori cryptées entre des ordinateurs et des serveurs. Ils l’ont baptisée POODLE (Padding Oracle On Downgraded Legacy Encryption), qui accessoirement veut aussi dire « caniche » (CVE-2014-3566).

Avant toute chose, notons que cette vulnérabilité touche l’ancien protocole SSLv3, et NON les certificats SSL, leurs clés privées, ou leur conception intrinsèque. Nos clients équipés de certificats sur des serveurs compatibles SSL 3.0 n’ont donc aucune raison de les remplacer.

Il semble également que cette faille s’avère moins nocive que le bug Heartbleed dans OpenSSL car son exploitation requiert des droits d’accès privilégiés au réseau. Toutefois, l’utilisation des hotspots et du WiFi public pose ici un réel problème puisque POODLE suit un schéma d’attaque par interception (Man In The Middle, MITM).



L’introduction de SSL 3.0 remonte à 1996. Or, selon le dernier rapport Netcraft, ce protocole est encore pris en charge par 95 % des navigateurs Web. De nombreux clients TLS (Transport Layer Socket) utilisent l’ancien protocole de cryptage SSL 3.0 pour communiquer avec des serveurs plus anciens. D’après Google, un pirate qui contrôle le réseau situé entre un ordinateur et un serveur peut s’immiscer dans le processus de négociation SSL (handshake SSL) utilisé pour vérifier les protocoles de cryptographie pris en charge par un serveur. C’est ce que les chercheurs appellent la « danse en marche arrière » (downgrade dance). Il pourra alors contraindre les ordinateurs du réseau à utiliser le protocole SSL 3.0 pour protéger les données en transit. Ensuite, libre à lui de lancer une attaque MITM pour intercepter des cookies HTTPS à la volée. Ainsi, il pourra voler des informations, voire prendre le contrôle des comptes en ligne de ses victimes. Et même si, à l’heure où nous écrivons ces lignes, les webmasters ne ménagent pas leurs efforts pour désactiver SSL 3.0 et migrer vers TLSv1 et des versions plus récentes, beaucoup reste encore à faire. De même, s’il est une leçon que l’on a pu retenir de l’affaire Heartbleed, c’est que les grandes entreprises sont beaucoup plus rapides que les petites structures pour corriger des vulnérabilités critiques. 

Conseils aux entreprises

Il existe un certain nombre de mesures pour neutraliser la menace :

  1. Pour savoir si vos serveurs Web courent un risque, utilisez notre service gratuit SSL Toolbox.
  2. Servez-vous d’outils compatibles TLS_FALLBACK_SCSV, un mécanisme qui empêche les pirates de forcer les navigateurs Web à utiliser SSL 3.0.
  3. Désactivez complètement le protocole SSL 3.0 ou désactivez le cryptage en mode CBC SSL 3.0.
  4. Un pare-feu applicatif Web (WAF) vous protège contre ce type de vulnérabilités. Pour en savoir plus, rendez-vous sur notre site.
  5. Méfiez-vous des e-mails d’arnaqueurs qui tenteraient de capitaliser sur le climat d’incertitude et un éventuel manque de connaissances techniques de votre part.

Pour combler la faille sur Apache, suivez les conseils de mon collègue Christoffer Olausson :

> SSLProtocol All -SSLv2 -SSLv3                   <- Désactivez SSLv2 et SSLv3

> apachectl configtest                                   <- Testez votre configuration

> sudo service apache restart                      <- Redémarrez le serveur

Pour sa part, Google a annoncé la fin du support de SSL 3.0 sur tous ses produits dans les prochains mois. Mozilla a également déclaré vouloir désactiver SSL 3.0 dans Firefox 34, dont la sortie est prévue courant novembre.

Conseils aux internautes

Symantec émet plusieurs recommandations à l’attention des internautes :

  1. Assurez-vous que SSL 3.0 est désactivé dans votre navigateur (dans Internet Explorer, allez dans Options Internet, puis dans Paramètres avancés).
  2. Pour vous prémunir contre les attaques MITM, veillez à la présence du préfixe « HTTPS » dans la barre d’adresse de votre navigateur.
  3. Restez attentifs aux avis des éditeurs et constructeurs dont vous êtes client concernant d’éventuelles mises à jour logicielles ou demandes de modification de mot de passe.
  4. Méfiez-vous des éventuels e-mails de phishing vous demandant de modifier votre mot de passe. Pour éviter de vous retrouver sur un site Web frauduleux, limitez-vous au domaine du site officiel.

Pour plus d’informations

Reportez-vous aux articles de la base de connaissances Symantec sur le sujet :

Utilisateurs Symantec Managed PKI for SSL


Utilisateurs Symantec Trust Center/Trust Center Enterprise


Restez connecté

Pour plus d’infos sur cette vulnérabilité et toute l’actualité sécurité, suivez-nous sur Twitter et Facebook. En cas de problème de gestion de vos certificats SSL et Code Signing, rendez-vous sur nos forums techniques.