Deerfield Hosting, Inc.

High Performance Web Hosting

dennis

Cpanel SSL Certificate Installation

by

To the uninitiated, using cPanel to generate and install an SSL certificate will seem complicated.  It’s actually rather simple.

Generate a new private key:

  1. Log in to cPanel and click on the SSL/TLS icon.
  2. Click on, “Generate, view, upload, or delete your private keys.”
  3. Leave the size set to 2,048; put your domain name in the description if you wish
  4. Click on “Generate”
  5. At the bottom, click on “Return to SSL Manger”

Generate a new certificate signing request based on the new key.  The “CSR” acronym stands for “Certificate Signing Request”:

  1. Click on, “Generate, view, or delete SSL certificate signing requests.”
  2. In the Key text box, select the key you just generated
  3. Fill in the Domains text box with your domain name.  Be sure to use the www prefix, www.YourDomain.com
  4. Fill in the rest of the text boxes which have an “*” next to them.  These are required.  The rest are optional.
  5. DO NOT fill in the Passphrase box!  With our SSL providers it is not needed and can cause complications.
  6. Click on “Generate”
  7. Click on “Return to SSL Manager”

Now that you have the CSR, it’s time to order the certificate.   Go to our ordering system, select and purchase your certificate.  A new service will be created in your account which you then configure using your new CSR.  Logged in to your billing account:

  1. Click on “Services” at the top followed by “My Services”
  2. To the right of your certificate service, click on, “View Details”
  3. Click on, “View Certificate Details” and then, “Configure Certificate”
  4. In the web server drop down box, select “Apache +ModSSL”
  5. Use cut and paste to put your new CSR in the box below that.
  6. Make sure you see “—–BEGIN CERTIFICATE REQUEST—–” and “—–END CERTIFICATE REQUEST—–“
  7. The rest of the boxes will self populate and you can ignore or change them as you wish.
  8. Click on “Click to Continue”
  9. Select where you want the confirmation email to be sent.  Be sure before continuing that you have access the the selected address.  An error here will cause delays.
  10. Follow the instructions in the confirmation email once you receive it.

Your new SSL certificate will be emailed to you when the confirmation process is complete.  For domain validated certificates this will be a matter of minutes.  Extended validation certificates require manual review at the certificate vendor which can take a day or more and often includes a phone call from the vendor.

Now back in cPanel, follow these steps:

  1.  In the SSL/TLS manager in cPanel, click on, “Generate, view, upload, or delete SSL certificates.”
  2. You want “Upload a new Certificate”.  Paste your new certificate into the box, “Paste the certificate into the following text box:”
  3. Click on “Save” and return to the SSL/TLS manager
  4. Click on, “Manage SSL Sites”
  5. In the box labeled, “Domain” – select the domain and click on, “Auto Fill by Domain”
  6. Click on “Install Certificate”

That’s it!  Your site is now ready to use your new certificate.

If you wish, we will do all of this for you except for the confirmation in some cases.  During your certificate purchase, select the SSL Certificate installation option if you would like to take advantage of this.

To have your entire site use your new certificate, create or edit /public_html/.htaccess so that it contains this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Choosing the Right SSL Certificate

by

Previously we talked about why you and your site visitors should have a strong preference for secure sites.   Here we will address which certificate you should choose.

It’s all about establishing trust.  The decision is subjective.  Evaluate who your visitors are, why they are at your site and what you want them to do. If your objective is publish a blog while showing people that you respect and value their privacy, the least expensive certificate will do just fine.  If you are trying to sell products worth hundreds of dollars using credit cards, convincing people that your site can be trusted is both more important and more difficult.

It’s worth noting that in more advanced hosting setups, using a certificate will make a site load faster. There is a relatively new protocol which requires a secure connection, SPDY – pronounced “speedy”. It can improve page load times by as much as 30%. Also, Google rewards secure sites with slightly higher page rankings.

Be aware that attitudes are changing.  Frequent news about the latest hacked site or company is gradually making people more cautious.

There are 2 important visual cues to your site visitor that they are at a secure site: a site seal and a green address bar.  Also, in Google Chrome you may see a green padlock.  Other browsers generally give some indication you are at a secure site, but it’s less obvious.

Site Seals

Virtually all certificate purchases include a site seal to display on your web site.

comodo_secure_100x85_transp thawteSiteSeal SymanticNorton RapidSSL
positivessl GeoTrustQuickSSLPremium GeoTrustEV ComodoEVSSL

The more recognizable the seal, the more it will engender some degree of trust. But you need to weigh this against cost. The Norton / Symantic seal comes with certificates which cost $500 and more.  The Comodo Positive SSL seal comes with a $9 certificate.

The Green Bar

If you go to Deerfield Hosting, you will notice that the company name is written in the address bar in green.  Deerfield Hosting uses an extended validation certificate.   The certificate authority (CA) took additional steps to verify the identity of Deerfield Hosting, Inc.  They are willing to be held accountable for certifying that deerfieldhosting.com is run by Deerfield Hosting, Inc. up to a liability limit of $500,000.  The liability limit for the certificate on this site is $10,000.    All the CA did before issuing the certificate used here is make sure that the domain name registration is controlled by the same people who were trying to buy the certificate.

Attributes of authority signed SSL certificates

  1. Validation – How the CA checked up on the company or individual who ordered the certificate.
    • Domain Validated – verify that the domain is owned by the person or entity ordering the certificate
    • Organization Validation – verify domain ownership and that supplied company information is accurate (but no green bar)
    • Extended Validation – verify domain ownership and that supplied company information is accurate

    The benefit of extended validation is the company name in green in the address bar, signaling that the identity has been more rigorously established.

  2. Number of Domain Names – The certificate may work for one site or more than one.
    • Single site: generally example.com and www.example.com, but might be others like store.example.com
    • Wildcard: a single certificate which works with sub-domains of a single domain. For example, blog.example.com, store.example.com, www.example.com
    • Multiple Domains: a single certificate which works with domains which (in general) have the same ownership. For example, deerfieldhosting.com and deerfieldhosting.net

  3. Warranty – CA liability limit. Ranges from none to $1.75 Million.  Note that this is NOT in any sense insurance.  Many sources imply or incorrectly state that it is.

Anyone can create a certificate and self sign it.  This will work fine for encryption, but web browsers will pop up a warning to let you know that no identity validation is in place.  When a site does not need to provide identity assurance because no visitors are total strangers, a self signed certificate is adequate.  On the other hand, few people fully understand the warning.  Not having to bother with explanations may be worth the low cost of a basic certificate.

The encryption provided by any brand or type of certificate is as good as any other brand or type.  While it is possible to generate a too weak certificate, no vendor will provide you with a certificate which is too weak.

In modern browsers, the certificate is only used to establish identity and begin a secure session.  The browser and the server together decide how to go about encrypting the session and then generate new keys to use it.  At this point the work of the certificate is complete and it’s no longer a part of the encryption process. What we are talking about is called perfect forward secrecy. Every session getting encrypted separately.  This is up to the browser and the web server configuration, not the certificate.

As an aside, you can test the safety of supposedly secure sites at SSL Labs. You may be surprised as I was to discover that your online banking pages get low marks.  Until I complained, my bank was getting an F.

 Recommendations

  • Selling products and taking credit cards – Get the green bar with an extended validation certificate.  Your visitor to customer conversion rate will justify this unless your volume is very low.

  • Selling products using Paypal – If you can afford it, get the green bar.  It will improve sales on most sites more than enough to pay for itself.

  • Multiple Domains or Sub Domains – Do the math.  Break even on cost with a wildcard certificate is about 10 sub domains.

  • Warranty – This is only relevant if money is changing hands or the site relates to that in important ways.  Organization validated certificates get you a better warranty, but for slightly more money you get the green bar.

  • Informational or Promotional Sites– Showing your visitors that you respect their privacy and getting the rankings boost is almost certainly worth the cost of a basic certificate

Why HTTPS? – Privacy!

by

Most people have no idea that their personal information is being leaked all over the place when they use the Internet.  If your initial reaction is that you don’t care because you have nothing to hide, it’s time to re-evaluate that position.  Someone who gets possession of your personal information can ruin your reputation and steal your identity.  If you don’t want to live through that nightmare, you need to take steps to avoid it.  More is leaking than you know and and more can be done with it than you think.

It’s not just criminals that should be a concern.  For example, Verizon engages in some questionable practices and is far from alone.

Do you have “block third party cookies” turned on in you browser? If not, turn it on! Are you using a browser not capable of that?  Stop using it!

It should be abundantly clear by now that it’s not a good idea to blindly trust the security provided by most companies.  It seems that every week there are revelations about a new security breach, costing the loss of personal information from thousands and sometimes millions of people.

Bigness does not in any way imply a company is on top of security.  It’s more likely to mean the opposite because as size increases, security becomes more complex.  Neither is it reasonable to assume that companies which would suffer huge losses from a security breach are on top of it.  It’s a moving target and staying on top if it is difficult.

Some months ago I tested the banking online pages at my bank.  They got an F.  This is one of the largest banks in the United States and they got an F.  When I called them, they arrogantly and vehemently denied any problem.  3 days later I tested them again and they got an A.  Obviously, someone had to wake them up.

Testing sites you use which need to be secure can be done at: SSL Labs.  You will be surprised at the vulnerabilities in common sites.  Try www.walmart.com at that site.

The things to think about are:

  1. Authentication – Is who I am talking to the same as who I think I am talking to?  This was the problem at my bank.  The site was open to impersonation with a vulnerability called cross site scripting.
  2. Data Integrity – Is what I am seeing correct?  Has it been tampered with?  When I submit information in a form, is the same information being recorded at the other end?
  3. Encryption – Can anyone eavesdrop on the conversation?

This is expanded upon in a video from Google:

 

One big take way from that is that the problem is not the leakage of specific information.  It’s the leakage of patterns of behavior.  That may seem ephemeral, but coupled with tiny bits of specific information it can turn you into a ripe target.  As the general public becomes more aware, preference for sites using https is increasing.  This is a good thing.

Last August, Google announced that sites using encryption would get a boost in search rankings in a blog post titled HTTPS as a Ranking Signal.  Anyone running a web site should be running a secured site.  The tiny expense is well worth the benefits.

WordPress – Attack Traffic

by

We have recently seen a huge increase in attacks on WordPress sites.  On some sites, the attacks are intense enough to run into resource limits.

The first thing to think about when fending off attacks is how to do so while consuming the minimum necessary resources.

The second thing to think about is how to make your site resource efficient.   Many themes and plugins are poorly written, driving up resource usage.  This is particularly true of commercial offerings.   Developers tend to include as many features as possible to increase sales.  Often, they haven’t thought about resource consumption.  On sites with low volume levels this doesn’t matter much.  But when volume goes up, driven by legitimate visitors or attackers – it starts to matter.  With plugins, less is often more.  Fast sites create the best impressions.

Always keep your WordPress site up to date.  Not doing so invites attacks.  This is much easier since WordPress 4 because it will automatically update itself.  Vulnerabilities are discovered frequently in WordPress itself and in plugins and themes.  It’s relatively easy for attackers to find outdated vulnerable sites.  Once a site is identified as a target, attackers swarm all over it.  And the attacks continue long after it is updated.  You want to stay ahead of this.

The only security plugins we recommend are Word Fence and Anti-Captcha.  Combined, they do everything you need with minimal resource consumption.  The vast majority of attacks are attempts to log in, trying different user names and passwords using scripts.  Anti-Captcha (or any other CAPTCHA) makes this much harder for them by discarding login attempts which do not contain the necessary tokens.  This happens before much code is loaded,  keeping resource waste way down.  A CAPTCHA will virtually eliminate comment spam as well.

Many security plugins are grossly inefficient.   Some work by adding IP addresses to your .htaccess file, which is a very bad idea.  Attacks come from many different IP addresses which  constantly change.  It’s a waste to block addresses which were attacking you for a few minutes or a few hours and then are never seen again.  You don’t want WordPress to try matches against thousands or potentially tens of thousands of addresses on every connection.  The thing to do is block attacking addresses for only an hour or a few hours.

Recommended Word Fence Settings – You may find additional settings useful or interesting.  This is not an exhaustive list.

  • Important: Alert on critical problems – This will send you emails when plugins and themes need updating.
  • Alert me when someone with administrator access signs in
  • Enable all scan options except outside WordPress, images, high sensitivity, word patterns.  Some of these are sometimes of use.
  • Immediately block fake Google crawlers
  • If anyone’s requests exceed 10 per minute: block
  • If a crawler’s page views exceed 60 per minute: block
  • If a crawlers pages not found exceed 5 per minute: block
  • If a human’s page views exceed 20 per minute: block
  • If a human’s pages not found (404s) exceed 3 per minute: block
  • If 404’s for known vulnerable URL’s exceed 1 per minute: block
  • How long is an IP address blocked when it breaks a rule: 1 hour
  • Enforce strong passwords: ALL
  • Lock out after how many login failures: 3
  • Lock out after how many forgot password attempts: 3
  • Count failures over what time period: 5 minutes
  • Amount of time a user is locked out: 6 hours
  • Important: Immediately lock out invalid usernames: Yes
  • Don’t let WordPress reveal valid users in login errors
  • Prevent users registering ‘admin’ username if it doesn’t exist.
  • Never use ‘admin’ as a user name.
  • Prevent discovery of usernames through ‘?/author=N’ scans
  • Hide WordPress version
  • Hold anonymous comments using member emails for moderation
  • Filter comments for malware and phishing URL’s
  • Check password strength on profile update
  • Important: Participate in the Real-Time WordPress Security Network
  • Important: Live traffic: OFF – when you are not actively watching it.
  • Cache: Disable all performance enhancements.  In our experience, they cause worse performance.
  • Scan schedule: use the defaults
  • Advanced blocking: use with caution and only if you have a specific problem to solve
  • Country blocking is a paid option and is generally not a good idea or necessary
  • Blocked IPs – use manual IP blocking only if you have a very good reason.

When you are under attack, immediately blocking invalid user names is extremely valuable to reduce resource waste.  It’s worth repeating that you should never use ‘admin’ as a user name.  Admin is the default user name and the first name attackers will try, which immediately identifies the connection as an attack.  Starting to block the source address immediately is a big win.

We offer highly optimized hosting for Word Press which includes additional security enhancements.  As of this writing it is not described on our website.  Please feel free to ask questions about this.

Blocking High Bounce Rate Email Accounts

by

Your email account with us may be affected by our improved anti-spam systems.  If it is, you need to know what to do about it to minimize the inconvenience.

The number of spammers making use of snowshoe spamming has recently increased dramatically.  The practice is called that because the load of getting out for example a million spam emails is spread out over thousands of compromised computers.  It is easier to evade detection because each individual machine is sending a relatively small number of emails.  They stay under the radar so that the machine owner remains unaware.

Our first line of defense is blocking IP addresses of compromised machines.  If you get a message when you try to send an email which begins “Blacklist Reject”, it means the IP address your computer is using is on a list.  Your machine may have been compromised or your local service provider may have recently assigned to you an address of another machine which was.  What you need to do is check for a compromise or change your IP address.  A phone call to your service provider may  be necessary.  Other than providing advice, we can’t help with this.

The second line of defense is based on tracking the bounce rate of every email account.  We track bounces as a percentage of all sent emails and if it is too high, there is about a 99% probability (not an exaggeration) that there is some sort of compromise. The most reliable indicator of spamming is higher than normal bounce rates. Normal bounce rates are under 1%, if people are paying attention. The block threshold we use is 3%.

You need to receive and read your bounce messages to avoid getting innocently blocked.  If your email client (Outlook, Windows Mail, Thunderbird) sets the “Return-to” address to an address you do not check or you discard emails from “Mailer-Daemon”, you won’t have a clue when there is a problem.  If your account gets blocked, the bounce message will include a link to the mail server where you can remove the block.

A recent security study found that 37% of computers with Internet connections are being operated by remote users. That is, they are under the control of criminals. Often, user logins with passwords are sold by these people. With the new system, we have so far identified more than 5,000 computers which were logging in to our servers with valid passwords and sending spam.

Please understand that it is essential to protect the integrity and reputation of our mail servers, even if it means occasionally causing inconvenience. The purpose of the unblock webpage is to mitigate the inconvenience.   In a sense, you should be glad if you get inconvenienced in this way. It is an early warning that you have a serious problem.  A compromise could turn into problems such as identity theft and worse.

The good news is that we actively pay attention to keeping your email safe and secure.

 

DMARC

by

The handwriting is on the wall.  Sending email using your own domain name is about to get more complicated, but also more reliable – if you take the right steps.  If you don’t, you will find that more and more of your email fails to get delivered, filtered out as spam.  The reason is DMARC.

The acronym stands for, “Domain-based Message Authentication, Reporting & Conformance”.   What that means is giving recipient email servers much more information.  You can get the details from the DMARC website, but basically it’s a much more reliable way of separating legitimate email from mail sent by scam operators.  It’s important to you because it is gaining traction with all the large email service providers.

DMARC expands on 2 older email authentication techniques, SPF and DKIM.  SPF stands for, “Sender Policy Framework”.  It gives recipient mail servers some clues about where email should come from.  It enumerates the email servers which send your email and (among many other things) lets you specify what to do with email not from those servers.  

DKIM is the technique of signing outbound emails with a key value which the recipient server can independently verify as belonging to your domain.  Both have been in use for many years and are routinely considered when evaluating whether an email is spam or not.  Both suffer from the shortcomings of the way email works and is used.  They help with, but come no where close to solving the spam problem. 

For example, if you were to put in place an SPF record which says that all email from you originates from a specific email server, about 1/3 of your email would bounce.  Roughly that much email is handled in one way or another by forwarders and there is no acceptable way to trace a specific email back to the source.  DKIM was invented to address the shortcomings of SPF, but has shortcomings of its own.   When you factor in forwarders, auto responders, list servers, catch-all email addresses, spammer tactics and counter measures, what you find is that the number of special cases is huge.

Efforts to retrofit the system with standards and methods which solve the problems have generally met with resistance, low acceptance and sparse implementation.  People want their email to “just work” without having to understand anything about it and without having to deal with spam and in any way they can imagine and it had better be reliable and fast as well.  Accommodating complex and conflicting demands has created a complex and conflicting environment.

Thousands of email servers are are misconfigured, compounding the problem.  That includes mail servers at many large companies, government agencies, service providers and especially at universities.  Email was designed for an environment very different from what the Internet has become.  It’s reasonable to call the entire system as it exists now, a mess.

What is different about DMARC is that many large service providers are finally willing to step on some toes.   The threat from phishing scams, large networks of compromised computers, espionage and criminal enterprises has become too great to ignore.  Among the service providers to implement and enforce DMARC policies are: PayPal, Yahoo, AOL, Google, Microsoft, Hotmail, Comcast, Facebook and Twitter.  Some 80,000 domains are protected with DMARC policies.   Enforcement has meant breaking certain kinds of email use.  For example, you can no longer set the from address to [someaddress]@aol.com on an email which will be sent from a non-AOL mail server.  It will bounce when sent anywhere which considers DMARC.  Although somewhat apologetic about it, AOL is now enforcing DMARC policies.  AOL is just one of many.  And this example is just one of many things DMARC will change.

We are often asked what can be done to prevent spammers from hijacking email addresses.  We mask how common this is by refusing returns of emails not sent by our servers.  Spammers always forge from, reply-to, and return-to addresses.  It’s a good question because anti-spam measures are turning more and more to reputation based metrics.  Because there are so many uninformed email users and mail server operators, these forgeries can and do damage reputations.  DMARC nearly eliminates this problem.

DMARC is a golden opportunity for reputation based spam filtering.  It’s presence allows immediate and unequivocal rejection of a lot of spam.  Since its presence on a particular domain implies “not spam”, what is the effect of its absence?  In our spam filtering process the vast majority of spam is easily identified, but that still leaves a huge amount for evaluation.  As DMARC becomes more widely used, its absence is a more clear indication that any given email is from an unreliable source and is spam.

The bottom line is that deploying DMARC on your domain is something you need to get done.  And as time passes it will get more important.

We are available to answer questions and help you get this done.