HTTPS “obsolete cryptography” message in Google Chrome, SSL certificates, SHA-1, SHA-2

Michael PhillipsNote: beginning with Chrome version 46 the yellow caution triangle has been removed from the https URL when Chrome encounters minor errors such as those described in this article.

If you use an SSL certificate (https) on your site, you may have seen a couple of new things happening in Google Chrome version 41 or later. Various warning messages such as, “The identity of this website has not been verified,” “Your connection to <domain> is not encrypted,” or other visual indications that the https connection is not secure have started to be displayed.

Those appear when your SSL certificate uses a SHA-1 signature (most SSL certificates issued before 2015 use SHA-1).

sha-blog-1a

To fix the problem of browser security warnings you must re-key your SSL certificate for SHA-2. If you don’t see those warnings in Chrome and you purchased your certificate recently, it may already be SHA-2. You can verify using this test site.

 

If you purchased your SSL certificate from us, here’s how to re-key:

1) Contact us and we will re-generate and re-submit the CSR.

2) You’ll then get an email from GeoTrust with a link to complete the process. When completing the re-key on the GeoTrust site, be sure that SHA-2 is selected as the “Hashtag Algorithm.” You can find step-by-step instructions (and a video) here.

3) After you’ve completed the reissuing process, you’ll receive an email with the new certificate. Go to Control Panel and paste the new certificate into the SSL Manager.

 

If you purchased your SSL certificate elsewhere:

1) Contact us and we will re-generate the CSR and email it to you. Then you’ll have to contact the issuer of your certificate to get your certificate re-keyed for SHA-2.

2) When you receive the re-keyed certificate, go to Control Panel and paste the new certificate into the SSL Manager.

 

“Obsolete cryptography” message after re-keying with SHA-2

There is another potential problem after you’ve re-keyed your SSL certificate. While the address bar will show the green lock icon, if visitors look at the certificate details in Chrome, they may see an “Obsolete Cryptography” message.

sha-discount

What’s happening is the Chrome Browser is ignoring the cipher preference we use on the server (which includes their preferred ciphers) and pointing out any “weak ciphers” they find. You might notice that many large corporate sites are also insecure according to Chrome, for similar reasons:

sha-apple

That “obsolete cryptography” message may persist for a while because Google is not providing any information on exactly what they want from the server to stop calling it insecure. It would appear that Google would like to see every server everywhere remove support for all older cryptographic methods.

We understand the reasoning behind that, but the problem with removing some of those methods is doing so will shut out visitors using some older browsers and operating systems that don’t support newer methods (such as Windows XP). Since our servers are shared by many customers, it isn’t really an option for us to make global changes that prevent some visitors – even a small number – from accessing our customer’s sites.

We do maintain special servers that do not support any of the older cryptography methods, and they are available if you’d like to move your site. The servers are primarily used by customers who need a “hardened” server to pass a PCI compliance scan. But the added security does introduce some issues, such as older browsers being unable to connect to sites on those servers via https. There are also a few other caveats that may require adjustment or a work-around on your part. But if you’d like to move your site to such a server, or need more information, let us know.

We continue to monitor information from Google on recommended server configuration, as well as testing various configurations ourselves to prevent the “obsolete cryptography” message.

If you have any trouble re-keying a certificate, or if you have any questions about these ongoing changes, let us know and we’ll do our best to help.

Windows hosting platform updated to .NET 4.5.2

Takeshi Etoasp.net 4.5.2 hostingWe have updated both our Windows 2012 and Windows 2008 platforms to .NET 4.5.2.

Some of the enhancements of ASP.NET 4.5.2 include better ability to schedule async work items, better control over http headers, and debugging improvements.

This update is an in-place update so we did not rush pushing it out. Experience has taught us that in-place updates can be disruptive to some customers despite Microsoft assurances of backward compatibility. In fact to be on the safe side, when we updated to .NET 4.5.1, we only updated our Windows 2012 platform, leaving our Windows 2008 R2 platform at .NET 4.0, so that we could move customers should any unforeseen issues arise from the update.

However, updating our entire hosting platform to  .NET 4.5.2 is now important because Microsoft announced that they will be deprecating .NET 4 – ,NET 4.5.1 in early January 2016. In the future, Microsoft intends to only support the latest few frameworks.

At the end of February, we updated our Everleap cloud hosting platform to .NET 4.5.2 and we did not encounter any issues, so we scheduled the update for DiscountASP.NET at the end of March during the usual maintenance window. You can now enjoy the latest Microsoft web stack. Of course, if you do notice any issues, please contact us right away.

Microsoft Gold Hosting Competency Status Renewed for 2015

Takeshi EtoI’m very happy to announce that we are going into our 10th year of maintaining our Microsoft Gold Partner status.

Microsoft continues to raise the bar to attain the Gold level status, so we do put a great deal of investment every year in maintaining our Gold Partner status. We think that our partner status truly shows our commitment to stay on top of Microsoft-related technologies. This commitment not only serves as a differentiator, but it also helps us maintain our strong relationship with Microsoft – a relationship that helped bring Everleap, our cloud hosting solution based on Windows Azure Pack, to life.

DDoS attacks: what they are, why they happen and what we can do about them

Michael PhillipsWhat is a DDoS?

DDoS stands for Distributed Denial of Service. When someone launches a DDoS attack, hundreds (or thousands) of computers and servers around the world simultaneously send traffic to a web server – or most often, a specific site on a server – in an attempt to take the site down by overwhelming the server.

When a site on our network is the target of a DDoS the effect on your site can range from none, to slowing it down, to making it completely unavailable.  The reason for that is DDoS attacks vary in method and severity, and many of them are counteracted before anyone even notices a problem. Others are more intense or sustained or difficult to counteract, and everyone notices those because they can potentially cripple the network.

Why does an attack on a single site affect the entire network?

A sufficiently large attack on a single site can send enough traffic to the network to overwhelm the routers that live at the entrance to our network. The largest measured DDoS at the time I’m writing this was over 400 gigabits per second – that’s 400 billion bits of data. Per second.

To put that in perspective, some of the most massive and expensive network switches available can handle 100 Gbps, and most common switches are built to handle only 1 or 2 Gbps of traffic. That may sound small compared to a 100 Gbps switch, but it’s more than sufficient for most networks. We host tens of thousands of sites, and our average network traffic is around half a gigabit.

So you can see why an attack large enough to overwhelm the switches can affect every site on the network, including the main DiscountASP.NET site, email, Control Panel, helpdesk, etc.

The method for dealing with large attacks is essentially the same as dealing with smaller ones, but the overall impact is naturally worse, since everyone is affected. Attacks on a scale large enough to effect the entire network are still uncommon, but becoming more of a threat every day, for reasons I’ll spell out in a minute.

What does DiscountASP.NET do to counteract a DDoS?

The methods we use to counteract DDoS attacks are varied and have included just about every method available: DDoS mitigation services, intrusion detection devices, null routing, etc. There are a lot of methods out there, but often the most effective thing we can do is be reactive and responsive. Our network is continuously monitored for malicious traffic, and we have direct control over null routing on all of our backbone connections.

When a DDoS targets a specific site, they are relatively easy to counteract. Though more often than not these days, DDoS do not directly target a domain or an IP, so it takes a bit of time to determine the target (and determining the target is necessary to counteract the attack).

In the past we could just throw massive amounts of bandwidth at an attack to absorb the traffic and mitigate the attack’s effect. But that approach has become much less effective as of late. The botnets have become too large, and a rapidly increasing number of the compromised computers are on broadband connections in homes or corporate servers in large data centers.

While there still isn’t any way to prevent a DDoS before it happens, be assured that we react to every incident of possible malicious traffic immediately and respond with whatever methods are likely to be most effective as quickly as possible.

Why do DDoS attacks happen?

There are a lot of reasons, ranging from political protest to personal grudge and a million other reasons in between. Humans launch these attacks and or course humans can be unpredictable and irrational. When we determine the target of DDoS attacks there is often no outward reason why the site would be attacked. So the reason isn’t always obvious.

The problem – and the reality – is that no matter what we do, inevitably some DDoS attacks are going to have an effect on the network, and possibly your site. It isn’t just us, it’s every site and host everywhere, including the biggest sites on the Internet. Unfortunately, if they can take down Microsoft or Amazon, they can take down DiscountASP.NET. It’s something we are all coming to grips with and trying to learn to prevent.

Where to go for information in the event of a large DDoS attack

If you suspect that a large scale attack is happening, you can check our Twitter, Google+ and Facebook pages for updates and information. We will also be moving our community forum to a server outside of our network sometime soon in order to keep that communication channel open in the event of a large attack.

If a DDoS affects your site you can be sure that we are doing all we can to stop it and return the network to its maximum capacity.

Introducing Website Cloud Backup: safeguard your site now

Takeshi Etocloud backup solutionToday we are announcing a new Website Cloud Backup solution that will backup your website off-site onto the Amazon cloud. The service comes with a web-based management portal to manage backup scheduling, versions and restoration.

A solution for “Oops” recovery
We’ve all done it – accidentally deleted an important file or overwritten something that broke a site or threw off the entire layout. Having a previous backup could save hours of painstaking work.

Bounce back quickly from website hacks
Hackers are constantly probing and learning how to exploit application vulnerabilities. No matter how vigilant you are in patching and updating, it’s still possible for hackers to gain access to websites and replace pages, or place malicious code or files within your site. Website Cloud Backup can help you quickly recover in the event of any hacking activities, restoring your site with a previous clean version.

MySQL backup
Website Cloud Backup can access your MySQL database and back it up automatically.

SQL backup
Backing up your SQL database is a two step process. The SQL backup tool in the control panel will copy your SQL backup into your web space and will be backed up with your site.  You can run the SQL backup tool manually or automate the process using our SQL backup API.

Check out our site for more information on plans and pricing and learn how Website Cloud Backup can help you achieve peace of mind.

Top 10 things we accomplished in 2014

Takeshi Eto2014 went by so fast I didn’t get a chance to get my annual Top 10 post up in December. So here is a recap of the Top 10 things we accomplished in 2014.

1. We launched Everleap

everleap-logo-orangeThis project was brewing in R&D for a couple of years and we are excited to launch our cloud hosting solution at Everleap.com. Everleap is powered by Windows Azure Pack (WAP) and provides scaling options that do not exist at DiscountASP.NET. We were the first host to launch a production hosting solution using the websites functionality of WAP.

Over the years, we’ve witnessed web applications becoming more sophisticated and complex and customers outgrowing traditional shared hosting services. So we wanted to provide a hosting solution for growth but we were not so keen on doing the same old VPS and dedicated hosting as all the other hosts.

Now with Everleap, we have a great upgrade path for our shared hosting customers, seamless scaling options that are not easily found at traditional hosts, all offered at flat, fixed pricing without mystery bills. In fact, we are offering free migration services for DiscountASP.NET customers who want to move to Everleap.

2. SQL 2014 hosting in the US and Europe

sql 2014 hostingAs always we try to keep up to date with new Microsoft technology releases. We launched SQL 2014 hosting in both our US-based and Europe-based data centers.

3. Managed TFS 2013 hosting in the US and Europe

tfs 2013We launched Managed Team Foundation Server 2013 hosting in both our US-based and UK-based data centers. This is a great option for businesses that want their own instance of TFS that is not shared with any other users and/or those who require server-side customization. TFS 2013 includes real-time collaboration enhancements with Team Rooms.

4. Exchange ActiveSync

Exchange ActiveSyncActiveSync was an “ask” from many customers, and now some new updates in Microsoft licensing make it possible for us to offer this feature. Exchange ActiveSync helps sync your email, calendar, contacts and tasks with the Smartermail email server and your mobile devices in real time – including Google Android, Apple iPad and iPhone, Motorola, Nokia, HP, Samsung, LG and Windows Phones.

5. SSD powered Reserved Cloud Servers at Everleap

On our Everleap cloud hosting solution, we introduced SSD accelerated Reserved Cloud Servers. The Reserved Cloud Servers are your own private VM that is reserved to serve only your sites, no other customers. So you get to use all the resources of the server, meaning all the CPU and RAM and there is virtually no constraint on idle timeouts and concurrent connections. We offer them in three flavors – small (1 CPU, 1 GB RAM), medium (2 CPU, 2 GB RAM) and large (4CPU, 4 GB RAM). These are a great option to grow into for CPU intensive or memory hungry apps.

6. Smartermail update

Admittedly, we did not keep up to date with Smartermail updates over the years. In 2014, we updated all our mail servers with the latest Smartermail version and we will work to keep up with the updates.

7. Git integration at Everleap

gitMany developers are using Git for their version control nowadays. We had customers ask about Git but integrating Git with DiscountASP.NET is difficult. However, WAP includes features to integrate Git so we offer Git publishing over at Everleap. We even host a local Git repository in your account. You can add additional users with Git publishing rights as well.

8. TFS 2013 Updates 1-4

Microsoft is adopting a faster cadence for releases. With Visual Studio 2013 we saw 4 updates released throughout 2014. So for our TFS 2013 hosting service, we stayed up to date with all the updates. But we don’t go ahead and blindly install updates. We test them out as thoroughly as possible and we schedule the updates with our customers.

9. Urban Turtle for Managed TFS 2013 and TFS 2012

urban-turtle-logoFor a while there, we were only able to support Urban Turtle for TFS 2010. Now, the latest Urban Turtle tools for TFS 2013 and TFS 2012 are available for our Managed TFS hosting solution. And, as discussed in the previous item, Microsoft’s fast release cadence can cause breaking changes with add-ins. So when we apply updates to TFS, we also work with Urban Turtle to make sure compatibility issues are ironed out.

10. Microsoft Gold Partner renewed

microsoft gold partner - hosting competencyI know I may sound like a broken record (remember those?) but I think the renewal of the Microsoft Gold Partner status it is something important to include here because it is not a trivial task to maintain. With Microsoft continually raising the bar for the Gold Partner level, we’ve witnessed many hosts dropping in partnership level. Maintaining the Gold status is an investment and a differentiator.

Thank you for powering through and reading this long post and we look forward to having more things to talk about in 2015!

Exchange ActiveSync Now Available

Takeshi EtoMany of you have asked for it, so I’m happy to announce that Exchange ActiveSync is now available as an add-on enhancement. You can activate this add-on through the Control Panel.

Though Exchange ActiveSync has been supported on SmarterMail for some time, it is only now with changes to how Microsoft licenses this technology that we are able to launch this feature.

Exchange ActiveSyncFor those unfamiliar with Exchange ActiveSync, it is a protocol that has become a de facto standard to sync groupware and mobile devices. With the ActiveSync add-on, your email, contacts, calendar and tasks are synchronized between our mail servers and your mobile device (e.g. your smartphone or tablet) in real time.

ActiveSync includes synchronization support for most mobile devices on the market, including Google Android, Apple iPad and iPhone, Motorola, Nokia, HP, Samsung, LG and Windows Phones.

We know that we are a mobile society and having access to information on-the-go is increasingly important for your business and personal life. So we are glad to be able to make this feature available to help you be even more productive.