Categories
Articles Hosted Cloud Apps News Technology Web Security Web Security

Understanding Role of Code Signing Certificates in Mobile Application Security

Mobile Applications have met with wide acceptance globally, thanks to their easy installation, streamlined interface, great user experience, and the ability to download them easily via online and offline stores. They lower the technical barriers and offer a simple and enjoyable user experience.

Mobile application has become a giant business in the last few years, and is still growing, opening multiple doors of opportunities for software developers. Customers spend a fairly good amount of money on mobile applications because although there is no dearth of free applications out there, they come with a trial period. In 2012, it is estimated that consumers spent approx. 14 billion dollars on downloading mobile applications. A number as big as that indicates a rapid evolution of mobile applications in the technology arena , and with this evolution are increasing security risks, which make mobile devices vulnerable to online fraud.

A recently released report says more than 28% of android apps and 34% of apple apps are based on the user tracking function, which puts the user data in even greater danger. Why? Because, instead of making a malware program, it is easy for hackers to hijack the application and steal the data of the user. All they need to do is change a few lines of code and inject malware to steal user’s information.

Self-Signed Certificate
Many storefronts and websites recognize the gravity of such attacks and take proper steps for application security. Most of them rely on digital signatures to verify the identity and reliability of application developers. However, that is not enough. Many websites and online stores will show you a ‘self signed certificate’ to indicate software’s security as such certificates are signed and authenticated by a person himself and not by trusted authorities. This is where a code signing certificate comes in the picture.

Code Signing Certificate
Code Signing Certificate plays a vital role in checking reliability of a third party application provider. It assures customers about the code integrity; that the developer who built a particular application is legitimate and the code has not been changed since it was signed.

How Does Code Signing Work?
Code Signing Certificate provides surety of each piece of code and manifests the identity. Below is the process of the Code Signing Certificate.

  • A Certificate authority validates software developer’s identity and authenticity.
  • Certificate authority then issues a developer ID which is used to sign a code.
  • The developer then utilizes code with the developer ID and signs files and sends them to certificate authority.
  • Finally, the re-signed and authenticated content is ready for distribution.

Time Stamping
A code that is being signed by a Code Signing certificate is reliable for a certain period and after that you have to renew it. In case if it is not renewed then your certificate will become worthless. To avoid such situation, Time stamping feature is necessary for a Code Signing Certificate. When you sign a code, a hash of your code is sent to a certificate authority for time stamping. Time stamping is essential when you allocate signed documents and assures that the code will not lapse when the certificate expires. If you ignore time stamping, then you have to resign your code and re-send out to customers. A warning “Unknown date and time” will come out when the file has not been time stamped.

Conclusion: Code Signing is essential for mobile device manufacturers, network platforms and software developers. These three are connected with each other in the mobile application market. Code Signing certificate helps developers in increasing downloads and thereby earning more revenue with distributing high volume of software.

Categories
Articles Domain Hosting Technology Web Security

Learning How to install a Wildcard SSL certificate in WHM and Common Compatibility Errors

Last decade has seen a phenomenal growth in the usage of Internet. Accepted round the globe unanimously with wide arms, Internet has now become a part of everyone’s daily life. Everybody is now online, and in more ways than one would’ve imagined. People use Internet for checking news, keeping a tab on their favorite sports, listening music, watching movies, professional conversations, interacting with new people, online shopping etc.

Online shopping is easy, ubiquitous, provides a broad range of options to choose from, and most importantly saves time. Businesses now realize the importance of being online, and most of them have websites showcasing and selling their products. But it isn’t that easy to turn a visitor on your website into a customer.

Netizens today are smart and well aware of the security threats online that can jeopardize their confidential data. They need assurance that you are genuine, your website is genuine and most importantly that you’ve proper security system in place to ensure the safety of their confidential information like credit card details, personal details, transaction info, etc.

A majority of online businesses hence use SSL certificates to reflect their reliability. SSL certificates not only secure the online transactions but are also visible proof that the particular website that showcases them is genuine, secure and reliable. But SSLs can be expensive at times.

Say your website has multiple sub-domains, such as yourwebsite.com, blog.yourwebsite.com, login.yourwebsite.com etc. A conventional SSL certificate will only secure one of these domains; to secure others, you’ll have to buy multiple SSLs, which will be capital intensive. If a potential customer visits blog.yourwebsite.com instead of yourwebsite.com and his browser warns him that this page is probably not secure, he might back off.

This is where WildCard SSLs come into the picture. A single WildCard SSL can protect multiple sub-domains on a single server and IP address, thus providing you both convenience (as you don’t need to administer several separate SSL Certificates for each sub-domain) and affordability.

WildCard SSL Certificate provide the same stringent level of security, as they hold the same encryption and decryption technology as other conventional certificates. All you need to do to secure multiple domains with WildCard SSLs is that at the time of installation, just add an asterisk (*) in the subdomain area of the common name, which you want to be protected. For instance, if you configure *.yourwebsite.com, you can secure www.yourwebsite.com, photos.yourwebsite.com, blog.yourwebsite.com, payment.yourwebsite.com and so on. The * hence represents the wildcard part of the SSL certificate. * can be any sub domain that you want to secure with the same base domain.

For a detailed idea of how WildCard SSLs work, please refer to my previous post.

How to Install a Wildcard SSL certificate in WHM

  • Login to your Web Host Manager (WHM) control panel.
  • Go to the left menu and click on ‘Install a SSL Certificate and Setup the Domain’.
  • Now Copy and paste the contents of your WildCard SSL Certificate (yourwebsite.crt) into the first text area. Access the text version of your certificate by opening it with a text editor. Remember to include the BEGIN and END tags while copying and pasting the certificate.

    Copy Certificate to Notepad and include the BEGIN and END tags
    Copy Certificate to Notepad and include the BEGIN and END tags
  • Let the rest of the text areas to be automatically filled.
  • Double check that the SSL key and CA bundle are accurate.
  • Now change the WildCard domain name to match the actual account domain name.
  • Ensure that the username and IP address match the actual account involved.

Common Compatibility Errors with WildCard SSL Certificates
While most of of the platforms and devices are thoroughly compatible with WildCard SSLs, there are some which might have issues. For eg. if a certificate isn’t trusted by a customer’s mobile browser, he/she may face compatibility issues on his mobile device. This particular error is rife with old Windows Mobile 5 devices.

In addition, Microsoft Office Communication Server, Microsoft Lync Server and Oracle Wallet Manager do not accept wildcards. Likewise, there are some outdated and ‘Basic’ versions of browsers that don’t support a “Certificate Request”, thus making the certificate look invalid due to lack of verification.

The only way to prevent such unfortunate errors is to purchase WildCard SSL from a trusted provider of WildCard SSL Certificates that issues a certificate which most users’ browser can rely on.

Wrapping things up!
As already mentioned, WildCard SSL is a great product which gets rid of individualized costs and provides easier web security administration in a cost-effective manner. However they too have their own share of limitations, one of them being the compatibility issue mentioned above. IT Professionals and Web Security Experts should hence carefully gauge which domains and sub-domains they want to protect and the effectiveness of the WildCard SSL Certificate in protecting them to reap the benefits properly.

Categories
Articles Cloud Domain News Technology Web Security

A list of Frequently Asked Questions about WildCard SSL Certificates answered by RapidSSLonline

A WildCard SSL certificate has many advantages over a conventional SSL certificate, the most important one being it’s ability to secure not only your website URL, but also an unlimited number of its subdomains. Needless to say, a product with such benefits does attract interest of a large pool of customers.

At RapidSSLOnline, a Certificate Authority of a wide range of brands such as VeriSign (Now Symantec), GeoTrust, Thawte, and RapidSSL, we come across a lot of such customers on a daily basis, who are curious about this product, and have a variety of questions to ask before making a decision to buy it. And hence this post.

A follow up to my last article, which provided a brief overview of WildCard SSLs, this one aims to address most frequently asked questions on the web about the same and clears air about WildCard SSL security and how it works to protect small and wide level e-Commerce business over the web.

WildCard SSL multiple sub domains SECURITYWhat is a WildCard SSL Certificate?
WildCard SSL Certificate holds the same encryption and decryption technology, which protects user’s confidential information while transferring it on the web, and additionally, it protects multiple sub domains on a single server and IP address. Every Wildcard begins with an asterisk * or “star”. The star represents the wildcard part of the SSL certificate. The star can be any sub domain that shares the same base domain.

Which level of businesses need WildCard SSL security?
It is a highly recommended SSL security solution to medium and wide level e-Commerce websites.

What strength of encryption does WildCard Certificate hold?
It holds the advanced 256 bit encryption strength for single and multiple sub domains protection.

What level of security is included in WildCard Security SSL?
It protects a Fully Qualified Domain Name (FQDN) and Sub Domains on a Single Server and IP address.

Which brand’s WildCard SSL security holds an unlimited server license?
RapidSSL and GeoTrust. These are two major brands whose WildCard SSL certificate security holds an unlimited server license.

What is the issuance time of WildCard SSL security certificate?
It can be issued within few minutes for a single Domain Name.

What all web browsers are compatible with a WildCard SSL certificate?
Here is a list of web browsers most compatible with WildCard Cert.

  • IE 5+, 6+, 7+, 8+
  • Firefox 1+, 2+, 3+
  • Netscape 4+
  • Opera 7+
  • AOL 5+
  • Safari

What validation method does WildCard Certificate hold?
It holds a complete domain validation.

Does it include trust mark or site seal feature?
Yes! Its includes the trust mark or site seal feature, which is essential to gain trust and confidence of the users.

How does one generate WildCard SSL Certificate CSR for any web server?
It is the same process, which holds other Domain Validated SSL certificate CSR. However, during the WildCard SSL generation, the common name should be *.yourdomain.com. To get a better idea about WildCard SSL Certificate CSR generation, click here.

Is WildCard SSL security android validated?
Yes, it is an Android Validated SSL security.

What is the difference between EV SSL and WildCard SSL?
EV SSL certificate is a complete domain authentication which protects single qualified domain only on a single server and IP, whereas WildCard SSL is domain authenticated security, which protects sub domains and as well as main domains on single server and IP.

To see a list of Frequently Asked Questions about EV SSL Certificates, please click here.

Categories
Articles Legal News Technology Web Security Web Security

Frequently Asked Questions about EV SSL Certificates answered by RapidSSLonline

RapidSSLonline, an SSL security specialist, addresses some valuable questions and answers, which according to them are most frequently asked on the web.

What is an EV SSL Certificate Security?
EV SSL or Extended Validation SSL certificate is one of the most toughest and trusted SSL certificates, which is especially produced to protect wide level e-Business web servers and their users’ information, while it is being transferred between web browsers and servers.

What type of validation does an EV SSL certificate contain?
An EV SSL certificate issued  to any web organization contains complete Domain and Business Authentication details.

What are some major advantages Extended Validation SSL certificate has when compared to a Standard SSL?
One of the greatest advantages of obtaining an EV SSL certificate is getting the green address bar status, which immediately alerts consumers that the site they are visiting offers the highest level of security.

Extended validation certificates offer online businesses the highest level of encryption, generally between 128-256 bit encryption. This ensures that all data transmissions are encrypted to the maximum, with virtually no chance of sensitive information falling into the hands of a third party.

What is a Legal Opinion Letter of EV Certificate?
It is a professional opinion letter from Certified or Licensed Attorney for Extended Validation SSL certificate issuance. All major Certificate Authorities such as Symantec, GeoTrust, and Thawte require Legal Opinion Letter before EV issuance to any organization.

What encryption level does EV SSL contain?
EV has the toughest protection encryption such as 256 bit with 2048 bit CSR key generation.

How much time is needed for issuance of an EV SSL certificate?
It needs 10 to 15 business days for issuance of an EV SSL certificate.

What all web browsers are compatible with an Extended Validation SSL Certificate?
Here is the list of web browsers, which are the most compatible to EV cert.

  • Firefox 1+, 2+, 3+
  • IE 5+, 6+, 7+, 8+
  • Netscape 4+
  • Opera 7+
  • AOL 5+
  • Safari

How much warranty amount does an  EV SSL certificate contain?
An EV SSL certificate contains  a minimum of $500,000 and maximum of $1,500,000 warranty.

Does EV security support mobile devices?
Yes it does! Secure site pro with EV security from Symantec supports mobile devices, which is also the toughest security solution on the web.

What is the difference between EV SSL and WildCard SSL?
EV SSL certificate is a complete domain authentication which protects single qualified domain only on a single server and IP, whereas  WildCard SSL is domain authenticated security, which protects sub domains and as well as main domains on single server and IP.

Categories
Infographics News Web Security

Why EV SSL Certificates are the Way to Go When Needing an SSL Solution

Are you managing an online web store? Consumers are now shopping online more than ever, learn how consumers decide who to trust before entering their credit card details.

Categories
Articles News Web Security Web Security

What is a Code Signing Certificate and How Does it Work?

There is a common misconception that Security certificates are just for Web servers. Many certificates, and code-signing certificates in particular can be useful in a plethora of fields; they can make your enterprise more secure, make your software more accepted, and even stop malware in its tracks. A Code Signing Certificate is a technology which includes the process of validation for publishers of software, content, code, and scripts based on a digital signature to authenticate their identities to web users. In addition to identifying the identity of the publisher, code signing also protects the code from being tampered with.

How to get a Code Signing Certificate?
Code Signing Certificates depend on a digital signature technology, which is issued by an internationally trusted third party called Certificate Authority (CA). A Code Signing Certificate from a trusted Certificate Authority (CA) will identify the software and publisher as trustworthy. For example, VeriSign / Symantec and Thawte utilize digital IDs for application designers. When a programmer applies for a digital ID, it is necessary to provide confirmation of identification. A public/private key couple is produced when the certificate is issued. The key continues to be on the requester’s computer and is never sent to the CA and should not be shared with anyone. The community key is presented to the CA with the certificate.

Once the certificate is issued, the developer uses the private key associated with that group key to sign the content, code, or script. When web users download the signed code, they get a copy of the certificate to authenticate the identity of the publisher/author. The Web browser verifies the digital signature, and the user trusts that the code did indeed come from that particular developer.

What happens when a Code Signing Certificate is issued:

  • The code is put through a one-way hash function. This creates a “digest” of fixed length.
  • The developer’s private key is used to encrypt this digest.
  • The digest is combined with the certificate and hash algorithm to create a signature block.
  • The signature block is inserted into the portable executable file.


Steps of Authentication Process When Code is Downloaded From Another User:

  • The certificate is examined and the developer’s public key is obtained from the CA.
  • The digest is then decrypted with the public key.
  • The same hash algorithm that was used to create the digest is run on the code again, to create a second digest.
  • The second digest is compared to the original.


Advantages of using a Code Signing Certificate:

Protects Your Code
A digital signature indicates that a piece of code belongs to you and has not been corrupted with malware. Unsigned code presents frightening warning messages in an attempt to limit the chance of malicious code harming a user’s PC, device, or network.

Increases Adoption
Because of the proliferation of malware disguised as legitimate software, customers view any software downloaded from the Web with extreme suspicion. Unexpected warning messages from their OS or browser such as those resulting from unsigned code, no matter how benign, cause many users to cancel the install.

Protects Your Reputation
Consumers expect a smooth installation process; warning messages look unprofessional and create suspicion. Code Signing allows you to forgo these types of messages and helps you train your customers to only trust digitally-signed code.

Meets the Requirements of Your Partners
Your partners and distribution channels want to ensure that they are not risking their reputation and their customers’ safety by distributing your code. Digital signatures allow them to verify that the content they are sharing is legitimate.

Simplifies Monitoring and Enforcement
A digital signature using a Code Signing Certificate helps identify the authenticity of signed code, making it easy to screen for modified files. With a DigiCert Time-stamp, any signed code remains valid even after the certificate expires. The time stamp tells users that you had a valid certificate when the software was signed.

Categories
Articles Legal News Web Security Web Security

Green Address Bar SSL- A Secret of Online Success

While SSL certificates are the current gold standard for online businesses and e-commerce websites, many people remain unaware that there are a number of different types of these certificates. In fact, there are a few different SSL certificates available to these online business sites, with the extended validation (EV) SSL certificate providing the highest level of online security.

Green Address Bar SSL- A Secret of Online Success

The security capabilities of a SSL certificate are directly related to the level of encryption used. Extended validation certificates offer online businesses the highest level of encryption, generally between 128-256 bit encryption. This ensures that all data transmissions are encrypted to the maximum, with virtually no chance of sensitive information falling into the hands of a third party.

One of the greatest advantages of obtaining an EV SSL certificate is getting the green address bar status, which immediately alerts consumers that the site they are visiting offers the highest level of security. The video below will help you get a better hold of the idea:

The main advantage of an EV SSL Certificate is “Trust & highest assurance” to your customers as an SSL certificate authority conducts strong business validation for issuing EV SSL Certificates. EV certificates offer the highest data encryption and browser compatibility. They supply complete business information of the entity along with business name, locality, contact info and the validating certificate authority name. This increases a potential customer’s confidence and makes it more likely that they do business on that particular site. It also increases conversions online. Below are the images showing that how your website address bar will become different in all major browsers if your website carries an EV SSL Certificate.

The EV SSL certificate not only actively combats phishing attacks, but also increases consumer trust, reduces shopping cart abandonment and helps build a business’s long-term revenue. While all SSL certificates provide encryption, the EV SSL certificate provides the ultimate online security and significantly boosts consumer confidence. The green address bar is the ultimate internet standard for online businesses, book bloggers in India, and e-commerce sites.

About Author:
James Labonte, is a Retail Director at The SSL Store™.The SSL Store™ is an one of the largest SSL Certificate Providers in the World & authorized platinum partner of Symantec. You can reach James on Google+, Twitter and Facebook.