Comodo Positive vs. Essential SSL: What's the Difference?

Comodo Positive and Comodo Essential SSLs are extremely popular products for customers around the world. Their popularity stems from their low cost and ease of issuance, since both certificates only require that the recipient verify they own the domain they wish to cover. Both options also provide the same level of industry standard encryption, either 128- or 256-bit. So, what exactly sets them apart? Why pay more for an Essential when you could get a Positive? The true difference lies in the site seals.

Site Seals are the brands that customers associate with safe shopping. The more recognized or trusted the site seal is, the more the customer is likely to feel safe and comfortable making a purchase on a website. Site seals are one of the main differentiators when it comes to SSL, since they have a direct effect on conversions.

The image on the left is the Site Seal provided when you purchase a Comodo PositiveSSL. As you can see, the Comodo Positive SSL comes with a branded "Positive" site seal – with the Comodo name barely visible. Many users are not aware of what SSL stands for, nor do they know that Positive SSL is a security service. The fact that ‘secured by Comodo’ is on the seal at the bottom only serves to confuse as the seal isn’t in the Comodo colors, nor does it look or feel like the same company. While companies in the industry understand that a PositiveSSL does provide industry standard encryption, your average consumer is much more trusting of a highly recognized and respected brand like Comodo.

cPanel, Inc. has released EasyApache 3.28.2 with PHP versions 5.4.37 and 5.5.21.

cPanel, Inc. has released EasyApache 3.28.2 with PHP versions 5.4.37 and 5.5.21. This release addresses vulnerabilities related to CVE-2015-0231, CVE-2014-9427, and CVE-2015-0232 by fixing bug in the Core module, Exif extension, and CGI. We strongly encourage all PHP 5.4 users to upgrade to version 5.4.37 and all PHP 5.5 users to upgrade to version 5.5.21.

AFFECTED VERSIONS
All versions of PHP 5.4 through version 5.4.36
All versions of PHP 5.5 through version 5.5.20

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2015-0231 - MEDIUM

PHP 5.4.37
Fixed bug in the Core module related to CVE-2015-0231

PHP 5.5.21
Fixed bug in the Core module related to CVE-2015-0231

SHA-1 Sunsetting, Google, and Your Next Steps.

What is happening, and what was happening?

The SSL Industry and the CA/B Forum have planned for the "sunsetting" (depreciation) of the SHA-1 signing algorithm for quite some time. However, their plan was mainly formed around Microsoft's desires to phase it out in 2017, alongside the end-of-life for Windows XP. This was widely understood to be the approved plan for CAs to follow, and the preparation for moving from SHA-1 to its successor, SHA-2, wouldn't be necessary for many months from now.

However, Google recently made an announcement, in stark contrast to Microsoft's plan, that they are implementing their own SHA-1 sunsetting timeline, which will begin on September 26th 2014.

This timeline has three distinct stages, which will result in degraded visual indicators in Google Chrome (padlock, green-bar) for SHA-1 signed certificates meeting specific criteria (this is discussed in the section "What certificates are affected?" below).

This means it is now necessary to educate and assist our partners and customers on how to make the transition away from SHA-1.

Why?

First, let's understand what SHA-1 does. Both SHA-1 and its successor, SHA-2, are specific types of signing algorithms. Signing algorithms are used as part of the identity validation role that SSL certificates perform. They are mathematical functions (referred to as a "hash") which, when performed, should calculate a persistent and unique value for each file. So, for instance, the Word doc this text is stored in has a unique SHA-1 hash value. If I change a single part of this file – add an extra period somewhere, change a letter, etc. – it will produce a different SHA-1 hash value.

When a certificate is downloaded from a server to the client's browser, a hash is taken of it. The type of hash taken (SHA-1, SHA-2, MD5, etc.) depends on how the certificate is signed. The hash calculated by the browser is compared to the hash value provided by the server, which has been verified by the Certificate Authority (CA) at the time of issuance. If they match, the identity of the certificate and server are verified.

When is this happening?

Google's policy involves three distinct steps, the first beginning on September 26th. On this date, only customers with SHA-1 signed certificates expiring in 2017 are affected. However, the amount of affected certificates will expand in November, and again in Q1 2015. The full details on what certificates are affected is in the below section, "The Nitty Gritty."

What certificates are affected?

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169)

Red Hat has been made aware of a vulnerability affecting all versions of the bash package as shipped with Red Hat products. This vulnerability CVE-2014-6271 could allow for arbitrary code execution. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Update: 2014-09-29 05:00 UTC

Malware is circulating that exploits this vulnerability. For more details, see this article.

Update: 2014-09-26 05:15 UTC

Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169.

Updated bash packages that address CVE-2014-7169 are now available for Red Hat Enterprise Linux 5, 6, and 7, Red Hat Enterprise Linux 4 Extended Life Cycle Support, Red Hat Enterprise Linux 5.6 Long Life, Red Hat Enterprise Linux 5.9 Extended Update Support, Red Hat Enterprise Linux 6.2 Advanced Update Support, and Red Hat Enterprise Linux 6.4 Extended Update Support, and Shift_JIS for Red Hat Enterprise Linux 5 and 6. See alsoResolution for Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) in Red Hat Enterprise Linux.

Diagnostic Steps

Red Hat Access Labs has provided a script to help confirm if a system is patched against to the Shellshock vulnerability. You can also manually test your version of Bash by running the following command:

$ env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test"

If the output of the above command contains a line containing only the word vulnerable you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function.

BIG BANG !!!! JULY PROMO !!!!

We are very happy to announce some of great deals on our products. We have launched one the best security products from SITELOCK. We have launched Sitelock Website Security. This product is available in our web store icloudjunction.in 

In addition with our current hosting products (Linux VPS, Linux Dedicated Servers, Shared Hosting servers), we are also offering our services and expertise in Windows VPS, Windows Dedicated Servers, Server Colocation, Cloud Hosting from our TIER III Datacenters.

                                          Currently Running Hot Promotions                                       

Free Domain and Hosting Promo

To avail this promo, Purchase Single Domain Lin/Win Hosting on INDIA/US Datacenter. It's a great deal of this month. Represent your country with your Domain. #HappyOfferings #HappySelling #INDIA #US #Domain #Hosting Feel Free to Contact Us. Log on to www.icloudjunction.in.

.CLUB for Lowest Price

Great offer of this month on www.icloudjunction.in. BOOK your .CLUB and ensure your club's online presence. Offer is valid for limited period.

DDoS attacks using SNMP amplification on the rise !

Attackers are increasingly abusing devices configured to publicly reply to SNMP (Simple Network Management Protocol) requests over the internet to amplify distributed denial-of-service attacks.

This amplification technique, which is additionally known as reflection, can on paper work with any protocol that's vulnerable to science (Internet Protocol) address spoofing and might generate giant responses to significantly smaller queries. Attackers can craft requests that seem to originate from the science address of their intended victim in order to trick servers that accept requests over such protocols from the internet to flood the victim with information.

Many DDoS attacks within the past year have used misconfigured DNS (Domain Name System) and NTP (Network Time Protocol) servers for amplification. However, devices that support SNMP, a protocol designed to allow the observation of network-attached devices by querying info about their configuration, may be abused if the SNMP service is directly exposed to the internet. SNMP-enabled devices with such configurations are often found each in home and business environments and embody printers, switches, firewalls and routers.

What is DDoS denial of service?

What everyone needs to know about DDos?

DDoS stands for Distributed Denial of Service. A malicious hacker uses a DDoS attack to form a computer resource (i.e. – website, application, e-mail, voicemail, network) stop responding to legitimate users. The malicious hacker will this by commanding a fleet of remotely-controlled computers to send a flood of network traffic to the target. The target becomes therefore busy dealing with the attacker’s requests that it doesn’t have time to reply to legitimate users’ requests. that can cause the target system to prevent responding, resulting in long delays and outages.

What is a distributed attack?

One DDoSer can do a lot of injury. These denial of service attacks area unit known as distributed as a result of they are available from several computers right away. A DDoSer controls an outsized variety of computers that have been infected by a Trojan virus. The virus is a small application that allows remote command-and-control capabilities of the computer while not the user’s information.

What is a zombie and a botnet?

The virus-infected computers area unit known as zombies – as a result of they are doing whatever the DDoSer commands them to try and do. an outsized cluster of zombie computers is termed a robot network, or botnet.

Secure your LAMP based VPS and Dedicated Web Servers

The Internet has given United States the ability to shop for product, create payments etc instantly from the comfort of our own homes. but beside these advantages, there's Associate in Nursing underlying cyber security threat at hand. it had been recently unconcealed that quite 360 million stolen Credit Cards accounts were up purchasable on the cyber black market. With many similar incidents like this returning to the fore within the past, it's essential to make sure that you simply keep crucial info regarding your customers’ secure and save yourself many bucks in shopper lawsuits.

We’ve place along slightly guide to assist you scale back the chance of your your LAMP based mostly servers from obtaining hacked. LAMP is one in all the foremost popularly used Application Stacks. It stands for UNIX system, Apache, PHP and MySQL.

Mitigate the risks of your servers being attacked

The Apache net Server is one in all the foremost normally used net Servers. but like most different software package, it needs acceptable settings, observance and maintenance to protect against vulnerabilities. during this post, we are going to cowl each General pointers that you simply will follow to secure your server, additionally as bound specific steps that you simply ought to address to mitigate the injury caused by such attacks.

General Security pointers to be followed for securing your net Server

• Sign up for updates and announcements from the net Server listing.
• Upgrade to the newest version whenever there's Associate in Nursing update.
• Install solely the modules you need and disable excess ones.
• Make sure you log all admin level accesses with date, times and usernames
• Do not show your server version or OS version in error messages.

For Servers with Apache:

1.   Hide the Apache Version variety, and different sensitive info

It is essential to cover the Apache Version variety your server is running, additionally as different sensitive info. you'll try this by following the straightforward steps listed below.

Add or Edit the subsequent 2 directives in your httpd.conf file

ServerSignature Off

ServerTokens Prod

The ServerSignature seems on the lowest of pages generated by apache like 404 pages, directory listings, etc.

The ServerTokens directive is employed to see what Apache can place within the Server hypertext transfer protocol response header. By setting it to Prod it sets the hypertext transfer protocol response header as follows:

Server: Apache

2. certify apache is running underneath its own user account and cluster

When Apache is put in, the default user is ready as “nobody”. but if there different applications that additionally run because the user no one on your system, then a compromise of apache can even compromise different installations. it's best to feature a separate user “apache” and so modify the subsequent directives in httpd.conf to run apache because it own user.

User apache

Group apache

3. make sure that files outside the net root directory aren't accessed.

It is continually smart apply to limit access for files outside the net root directory to take care of security and make sure that these files square measure solely accessed by folks that have to be compelled to access them.

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /html>
Order Allow,Deny
Allow from all
</Directory>

Note that as a result of we tend to set “Options None” and “AllowOverride None “this can shut down all choices and overrides for the server. You currently got to add them expressly for every directory that needs Associate in Nursing choice or Override.

4. shut down directory browsing, Follow symbolic links and CGI execution

You can try this with Associate in Nursing choices directive within a Directory tag.

If you would like to show off all choices merely use:

        Options None

If you simply need to show off some, separate every choice with an area in your choices directive:

     Options -ExecCGI -FollowSymLinks -Indexes

5.  Install modsecurity

ModSecurity is Associate in Nursing Apache add on module which might sight and stop hypertext transfer protocol attacks.  It will are available in extremely handy in preventing SQL injections just in case your developers forget to feature input validation or determine and block info revealing problems like unseaworthy elaborate error messages, social insurance Numbers or mastercard Numbers. Follow these steps to put in mod-security

On CentOS:

   yum install mod_security

On Ubuntu:

    apt-get install mod_security.

service httpd restart

6.  Disable any excess modules

There square measure many modules that square measure enabled on your Apache net Server that you simply might not want. to look for modules put in run:

grep LoadModule httpd.conf

Here square measure some modules that square measure generally enabled however usually not needed:

mod_imap

mod_include

mod_info

mod_userdir

mod_status

mod_cgi

mod_autoindex.

To disable them add a # check in front of them.

You can additionally bear the Apache module documentation and disable or alter any that you simply want.

7.  Lower the Timeout worth

The default Timeout directive is ready to three hundred seconds. Decreasing this worth help’s mitigating the potential effects of a denial of service attack.

Timeout 45

8.  Limit massive requests

In order to mitigate the consequences of a denial of service attack, limit the number of body that may be sent in Associate in Nursing hypertext transfer protocol request.  If you are doing not have massive uploads then you'll limit this to 1Mb via the below directive.

LimitRequestBody 1048576

Application and Database Security

SQL injection is another common method of extracting knowledge from poorly coded websites. Here is however you'll forestall it and different such attacks.

• Ensure your Applications like Joomla, WordPress, Drupal etc square measure upto date.
• Subscribe to Bug updates and Vulnerability reports.
• Try and avoid world writable 777 permissions your files or folders.
• Regularly check for viruses or infections by scanning your net package.
• If you're victimization MySQL or MariaDB run the mysql secure installation script.
• If your application needs you to store wind like username, passwords, mastercard knowledge etc. then make sure that all communication is encrypted by employing a Digital Certificate.

For servers with PHP:

1.  Run PHP as a separate User

It is suggested to put in php as a separate user than as Associate in Nursing Apache Module. If you put in php as Associate in Nursing Apache Module then php can run with the apache user permission and any compromise of a vulnerable php script will cause a server wide compromise.

A better way to install php would be with php-fpm a fastcgi method manager that permits you to run and manage php scripts as a separate user.

2.  Use the POST methodology to pass vital parameters like credit card info

Many developers already recognize this. PHP has 2 ways to pass variable info via a type the GET methodology and also the POST methodology. the foremost vital distinction between these ways is that the GET methodology makes your pass info visible to everybody via a URL whereas POST methodology doesn't. thence sensitive info like usernames, passwords must always be passed via the POST methodology.

3. continually Validate type and Text Input

Cross web site scripting and SQL injection will each be prevented if type or file input is valid.

Cross web site scripting permits a hacker to run malicious code on your server by merely uploading a file with malicious code in it to be run on the server and SQL injection permits a hacker to urge access to your info by injecting malicious queries in your type to urge info info like table name. an easy thanks to validate php code is found at 

http://www.w3schools.com/php/php_form_validation.asp

4 . Hide the PHP version

Open php.ini and add the subsequent

Vim /etc/php.ini

expose_php = Off

5.Log all php errors to a file and not on the web site

display_errors = Off

log_errors = On

error_log = /var/log/httpd/php_error.log

For servers with MySQL or MariaDB:

1.      Run MySQL Secure Install

After putting in MySQL run the mysql_secure_installation script.

sudo   /usr/bin/mysql_secure_installation

This script can prompt you to feature a mysql root secret, lock root access to localhost and take away any unwanted infos just like the take a look at database.

2.     Secure MySQL users and database

Log into your MySQL Server and make sure that all MySQL users have a secret and delete any unwanted user. Grant access to solely those databases that the individual users would use.

Following the steps elaborate on top of, you'll go an extended method in making certain that your customer’s knowledge remains secure. within the next article i'll add detail steps on UNIX system OS and Firewall Security.

Let us recognize if these techniques were useful by effort a comment below