Michael PhillipsIf you use an SSL certificate (https) on your site, you may have seen a couple of new things happening in Google Chrome version 41 or later. Various warning messages such as, “The identity of this website has not been verified,” “Your connection to <domain> is not encrypted,” or other visual indications that the https connection is not secure have started to be displayed.

Those appear when your SSL certificate uses a SHA-1 signature (most SSL certificates issued before 2015 use SHA-1).

sha-blog-1a

To fix the problem of browser security warnings you must re-key your SSL certificate for SHA-2. If you don’t see those warnings in Chrome and you purchased your certificate recently, it may already be SHA-2. You can verify using this test site.

 

If you purchased your SSL certificate from us, here’s how to re-key:

1) Contact us and we will re-generate and re-submit the CSR.

2) You’ll then get an email from GeoTrust with a link to complete the process. When completing the re-key on the GeoTrust site, be sure that SHA-2 is selected as the “Hashtag Algorithm.” You can find step-by-step instructions (and a video) here.

3) After you’ve completed the reissuing process, you’ll receive an email with the new certificate. Go to Control Panel and paste the new certificate into the SSL Manager.

 

If you purchased your SSL certificate elsewhere:

1) Contact us and we will re-generate the CSR and email it to you. Then you’ll have to contact the issuer of your certificate to get your certificate re-keyed for SHA-2.

2) When you receive the re-keyed certificate, go to Control Panel and paste the new certificate into the SSL Manager.

 

“Obsolete cryptography” message after re-keying with SHA-2

There is another potential problem after you’ve re-keyed your SSL certificate. While the address bar will show the green lock icon, if visitors look at the certificate details in Chrome, they may see an “Obsolete Cryptography” message.

sha-discount

What’s happening is the Chrome Browser is ignoring the cipher preference we use on the server (which includes their preferred ciphers) and pointing out any “weak ciphers” they find. You might notice that many large corporate sites are also insecure according to Chrome, for similar reasons:

sha-apple

That “obsolete cryptography” message may persist for a while because Google is not providing any information on exactly what they want from the server to stop calling it insecure. It would appear that Google would like to see every server everywhere remove support for all older cryptographic methods.

We understand the reasoning behind that, but the problem with removing some of those methods is doing so will shut out visitors using some older browsers and operating systems that don’t support newer methods (such as Windows XP). Since our servers are shared by many customers, it isn’t really an option for us to make global changes that prevent some visitors – even a small number – from accessing our customer’s sites.

We are testing configuration of a separate group of servers that will not support any of the older cryptography methods, but it’s not something we can offer to you yet. We continue to monitor information from Google on recommended server configuration, as well as testing various configurations ourselves to prevent the “obsolete cryptography” message.

If you have any trouble re-keying a certificate, or if you have any questions about these ongoing changes, let us know and we’ll do our best to help.

 

Windows hosting platform updated to .NET 4.5.2

On March 26, 2015, in Announcements, by Takeshi Eto

Takeshi Etoasp.net 4.5.2 hostingWe have updated both our Windows 2012 and Windows 2008 platforms to .NET 4.5.2.

Some of the enhancements of ASP.NET 4.5.2 include better ability to schedule async work items, better control over http headers, and debugging improvements.

This update is an in-place update so we did not rush pushing it out. Experience has taught us that in-place updates can be disruptive to some customers despite Microsoft assurances of backward compatibility. In fact to be on the safe side, when we updated to .NET 4.5.1, we only updated our Windows 2012 platform, leaving our Windows 2008 R2 platform at .NET 4.0, so that we could move customers should any unforeseen issues arise from the update.

However, updating our entire hosting platform to  .NET 4.5.2 is now important because Microsoft announced that they will be deprecating .NET 4 – ,NET 4.5.1 in early January 2016. In the future, Microsoft intends to only support the latest few frameworks.

At the end of February, we updated our Everleap cloud hosting platform to .NET 4.5.2 and we did not encounter any issues, so we scheduled the update for DiscountASP.NET at the end of March during the usual maintenance window. You can now enjoy the latest Microsoft web stack. Of course, if you do notice any issues, please contact us right away.

 

Takeshi EtoI’m very happy to announce that we are going into our 10th year of maintaining our Microsoft Gold Partner status.

Microsoft continues to raise the bar to attain the Gold level status, so we do put a great deal of investment every year in maintaining our Gold Partner status. We think that our partner status truly shows our commitment to stay on top of Microsoft-related technologies. This commitment not only serves as a differentiator, but it also helps us maintain our strong relationship with Microsoft – a relationship that helped bring Everleap, our cloud hosting solution based on Windows Azure Pack, to life.

 

Michael PhillipsWhat is a DDoS?

DDoS stands for Distributed Denial of Service. When someone launches a DDoS attack, hundreds (or thousands) of computers and servers around the world simultaneously send traffic to a web server – or most often, a specific site on a server – in an attempt to take the site down by overwhelming the server.

When a site on our network is the target of a DDoS the effect on your site can range from none, to slowing it down, to making it completely unavailable.  The reason for that is DDoS attacks vary in method and severity, and many of them are counteracted before anyone even notices a problem. Others are more intense or sustained or difficult to counteract, and everyone notices those because they can potentially cripple the network.

Why does an attack on a single site affect the entire network?

A sufficiently large attack on a single site can send enough traffic to the network to overwhelm the routers that live at the entrance to our network. The largest measured DDoS at the time I’m writing this was over 400 gigabits per second – that’s 400 billion bits of data. Per second.

To put that in perspective, some of the most massive and expensive network switches available can handle 100 Gbps, and most common switches are built to handle only 1 or 2 Gbps of traffic. That may sound small compared to a 100 Gbps switch, but it’s more than sufficient for most networks. We host tens of thousands of sites, and our average network traffic is around half a gigabit.

So you can see why an attack large enough to overwhelm the switches can affect every site on the network, including the main DiscountASP.NET site, email, Control Panel, helpdesk, etc.

The method for dealing with large attacks is essentially the same as dealing with smaller ones, but the overall impact is naturally worse, since everyone is affected. Attacks on a scale large enough to effect the entire network are still uncommon, but becoming more of a threat every day, for reasons I’ll spell out in a minute.

What does DiscountASP.NET do to counteract a DDoS?

The methods we use to counteract DDoS attacks are varied and have included just about every method available: DDoS mitigation services, intrusion detection devices, null routing, etc. There are a lot of methods out there, but often the most effective thing we can do is be reactive and responsive. Our network is continuously monitored for malicious traffic, and we have direct control over null routing on all of our backbone connections.

When a DDoS targets a specific site, they are relatively easy to counteract. Though more often than not these days, DDoS do not directly target a domain or an IP, so it takes a bit of time to determine the target (and determining the target is necessary to counteract the attack).

In the past we could just throw massive amounts of bandwidth at an attack to absorb the traffic and mitigate the attack’s effect. But that approach has become much less effective as of late. The botnets have become too large, and a rapidly increasing number of the compromised computers are on broadband connections in homes or corporate servers in large data centers.

While there still isn’t any way to prevent a DDoS before it happens, be assured that we react to every incident of possible malicious traffic immediately and respond with whatever methods are likely to be most effective as quickly as possible.

Why do DDoS attacks happen?

There are a lot of reasons, ranging from political protest to personal grudge and a million other reasons in between. Humans launch these attacks and or course humans can be unpredictable and irrational. When we determine the target of DDoS attacks there is often no outward reason why the site would be attacked. So the reason isn’t always obvious.

The problem – and the reality – is that no matter what we do, inevitably some DDoS attacks are going to have an effect on the network, and possibly your site. It isn’t just us, it’s every site and host everywhere, including the biggest sites on the Internet. Unfortunately, if they can take down Microsoft or Amazon, they can take down DiscountASP.NET. It’s something we are all coming to grips with and trying to learn to prevent.

Where to go for information in the event of a large DDoS attack

If you suspect that a large scale attack is happening, you can check our Twitter, Google+ and Facebook pages for updates and information. We will also be moving our community forum to a server outside of our network sometime soon in order to keep that communication channel open in the event of a large attack.

If a DDoS affects your site you can be sure that we are doing all me can to stop it and return the network to its maximum capacity.

 

Introducing Cloud Backup: safeguard your site now

On January 22, 2015, in Announcements, by Takeshi Eto

Takeshi Etocloud backup solutionToday we are announcing a new Cloud Backup solution that will backup your website off-site onto the Amazon cloud. The service comes with a web-based management portal to manage backup scheduling, versions and restoration.

A solution for “Oops” recovery
We’ve all done it – accidentally deleted an important file or overwritten something that broke a site or threw off the entire layout. Having a previous backup could save hours of painstaking work.

Bounce back quickly from website hacks
Hackers are constantly probing and learning how to exploit application vulnerabilities. No matter how vigilant you are in patching and updating, it’s still possible for hackers to gain access to websites and replace pages, or place malicious code or files within your site. Cloud Backup can help you quickly recover in the event of any hacking activities, restoring your site with a previous clean version.

MySQL backup
Cloud Backup can access your MySQL database and back it up automatically.

SQL backup
Backing up your SQL database is a two step process. The SQL backup tool in the control panel will copy your SQL backup into your web space and will be backed up with your site.  You can run the SQL backup tool manually or automate the process using our SQL backup API.

Check out our site for more information on plans and pricing and learn how Cloud Backup can help you achieve peace of mind.

 
iBlog by PageLines