SSL What Why Where

What

SSL stands for secure socket layer.  It is the technique used to encrypt and secure data over the internet.  It is most known for use in web browsers.  When you go to a secure web site (known as http over SSL or https), you will see a little lock icon somewhere which shows you that the site is secure.  Things get complicated when you shop for SSL certificates where you can also get site seals or EV SSL and you’ll find a wide range of prices ranging from $30/year to over $1,000/year.

Terminology

  1. SSL certificate – A basic SSL certificate is all you need for a lock to be displayed in a browser.
  2. Site seal – If you purchase an SSL certificate, it often comes with a site seal which is a little graphic you can display on your site which will tell visitors that your site is secured by that SSL seller.
  3. “Deluxe” or “Premium” SSL – Most SSL sellers offer some more expensive version of SSL which is typically the exact same SSL certificate accompanied with a site seal or more advanced site seal.
  4. Multi-domain SSL – It is possible to purchase one SSL certificate that can work for multiple domains which makes it much easier to manage if you need to secure many domains.  This is typically only worth getting if you have a lot of domains.
  5. Extended Validation (EV) SSL – This is the latest and most expensive SSL which in addition to basic SSL will also cause a green security bar to be shown in the latest web browsers.  The green bar means the SSL purchase was verified as a real business which is supposed to make the visitor feel all warm and fuzzy inside.  Considering it isn’t that hard to make a fake business, I never get that feeling.  Also, less than 1/3 of browsers in use right now can show the green bar and most people don’t even know what it means yet.

Why

Without encryption, everything you send from your computer to a web server is totally readable by anything in between.  Things get even more unsafe if you are at an open wifi spot at a cafe where anyone around you can watch all the unencrypted data you are sending and receiving.  As a result, some actions such as site logins or purchasing online must be encrypted with SSL.

Where

There are several places you can buy SSL certificates.  Many are extremely overpriced for no good reason.  From cheapest to most expensive, I’d recommend the following:

  1. GoDaddy.com – The standard SSL from GoDaddy is $30/year and you can typically get a discount off of that with a promo code.  They also offer EV SSL for $500/year.  Sadly, that is relatively cheap for EV SSL.  One complaint I have about GoDaddy is their site to manage your SSL is ugly and confusing.  Another problem is they are not a top tier SSL provider so you have to install what’s called a certificate chain file in addition to the certificate.  If you can handle the extra work and poor site, they are the cheapest way to go and in the end, the SSL works the same.
  2. Geocerts – This is a site that resells GeoTrust certificates for cheaper than GeoTrust sells directly.  GeoTrust certificates are easier to install than GoDaddy because you don’t have to deal with a certificate chain.  They also make the process quick and easy.  Their basic SSL is $99 and their Premium is $129.  If you want a good site seal that is clickable that brings up a useful dialog box about your SSL, GeoTrust Premium is the way to go.
  3. VeriSign – These guys have been around for a long time and they do a good job but their prices are nuts.  $400 for basic SSL and $1000 for EV SSL.  If money is no object, you can consider them.

“Dial a Human” to Reach a Person

Are you tired of automated call distribution (ACD) systems that force you to listen to long option trees? They start by saying “please listen to all the options because they have recently changed.” In the past, you could just press “0” repeatedly to reach an operator. Now many companies have stopped that and even created complicated trees so that fewer callers reach a person, thereby saving the company money.

This web site compiles company phone numbers and directions to reach a person:

Dial A Human

Make Palm-sized Paper Booklets

Many D.C. area organizations do not allow people to bring in cell phones, PDAs, laptops, or any other electronic devices for security reasons. A great solution is to make a paper booklet for your information. There are two Flash-based websites that do a great job at this for free:

PocketMod

PocketMod includes lots of built-in templates: calendars, organizers, lists, references, games, RSS fees, and more. You can edit several of these to include your information. Creating a booklet is as simple as dragging the pages you want into your booklet and clicking Print PocketMod!

BookletCreator

BookletCreator prints any PDF (Adobe Acrobat file) file in a booklet form. If you have a long list of contacts that you want to print out, this works well. First you will need to turn your content into a PDF, as we explained how to do earlier.

National Cyber Alert System from US-CERT

For system administrators or those just interested in computer security, a great resource is the Cyber Security Alert system from US-CERT.

US-CERT formed in September 2003 as a partnership between the Department of Homeland Security and the public and private sectors, intended to coordinate the response to security threats from the Internet. US-CERT is the Federal Incident Management Center for the Federal Government and serves as the focal point for cybersecurity issues.

You can get their Cyber Security Alerts by email or add them to your RSS feed.

Here is an example of a recent Cyber Security Alert, warning of a particular security threat to Microsoft software and what actions to take:

Overview

Microsoft has released updates that address vulnerabilities in Microsoft Windows, Internet Explorer, Word, Excel, SharePoint Server, Visual Basic 6 and related components.

I. Description

As part of the Microsoft Security Bulletin Summary for November 2008, Microsoft released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Word, Excel, SharePoint Server, Visual Basic 6 and other related components.

II. Impact

A remote, unauthenticated attacker could gain elevated privileges, execute arbitrary code or cause a vulnerable application to crash.

III. Solution

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for December 2008. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

WiFi Search from an iPhone or iPod Touch

Keeping with the recent WiFi stumbling posts, I ran across this software for finding WiFi access points from an iPhone or iPod Touch:

WiFinder

It’s a simple and convenient way to analyze wireless networks. It shows you if there is wireless encryption, what kind of wireless encryption is used, the name, signal strength and network channel of the wireless networks. It can be set to automatically rescan and beep when a new network SSID (wireless network name) is found. If you see an open network, you can even connect to it from the WiFinder app. It’s a useful tool for network admins or “wardrivers” who want to see what networks are around.

Currently the WiFinder app is free in the App Store.