chrome 63 ftp not secure

FTP sites will be marked Not Secure from Google Chrome 63

FTP sites will be marked as Not Secure with the release of Google Chrome 63 in December 2017

chrome 63 ftp sites not secure

Thats the direction of the discussion at https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/HknIAQwMoWo/xYyezYV5AAAJ

Although there have been plans to remove FTP support altogether, for now FTP sites will only be marked as Not Secure.

About FTP

FTP, or File Transfer Protocol, used with ftp:// requests is a decades-old network protocol that is used to transfer files between clients and servers. FTP does not encrypt traffic by default, making it susceptible to interception and manipulation by eavesdropping third parties.

FTP can be secured using an SSL/TLS, which in turn creates FTPS. Unfortunately, FTPS is not a widely-supported feature on most browsers, including Chrome, due to its low usage rate.

What are FTP sites?

FTP sites are locations from where you can use your browser to download large files such as the latest Linux OS distribution, or third-party softwares for your operating system.

However, since in time most software distribution services have moved to HTTPS download, and it is suggested the rest do the same.

 

symantec trust issue

Chrome and Symantec – the Final “Trust” Solution

chrome symantec trust issue

The Google Chrome team announced in March 2017 that it had a problem with Symantec for violating industry standards related to SSL certificate issuance. This has been discussed cooperatively over the last 4 months by Google, Symantec, and other members of the internet community. On 27th July 2017, Chrome and Symantec announced their final plan to move forward.

If you operate a website that uses a Symantec SSL certificate, please read this post to see if future versions of Chrome will affect your specific certificate and how you can replace that certificate (for free) before anything goes into effect.

Are you affected?

If you are a current user of Symantec certificates or plan to purchase one in 2017, this could affect you.

As a leading Certificate Authority, there are more than an ideal amount of Symantec SSL certificates will be affected.  Note that Symantec operates multiple brands, all of which are affected:

  • Symantec
  • GeoTrust
  • Thawte
  • RapidSSL

Also, note that Mozilla Firefox will be taking a similar course of action, but at this time they have not committed to a final plan.

What changes are expected in Google Chrome

The two stages of Chrome’s distrust, which serve as deadlines, are marked in RED to clearly show the difference between general information and actionable items.

October 24th, 2017
Chrome 62 will display a message in Developer Tools to help identify certificates which will be affected by distrust in Chrome 66. Visit your websites with the Developer Tools panel open – this will allow you to identify which websites will be affected by distrust in Chrome 66.

December 1st, 2017
A partnered Certificate Authority (CA) will begin issuing certificates for Symantec. As an end user, you may notice some small changes in the issuance process. From a technical standpoint, this date is significant because it marks beginning of the “new” Symantec certificates. Certificates issued after this date will be issued from different roots and will not be affected by Chrome’s dis-trust.

April 17, 2018
All Symantec certificates issued before June 1st, 2016, will no longer be trusted by Chrome.
Certificates issued after June 1st, 2016 are not affected at all in this release. Replace any Symantec certificates issued before June 1st 2016 by this date. This can be done by reissuing your certificate for free from your provider and installing the new certificate in place of the old one. If your certificate expires around this time (April-June) you may want to consider renewing it, instead of reissuing, to avoid two replacements within a short time frame.

Oct 28th, 2018
All certificates issued by Symantec with their existing infrastructure will no longer be trusted by Chrome.
Starting in the stable version of Chrome 62, a message will be added to the Developer Tools panel when a certificate that will be distrusted in Chrome 66 is encountered. Developers can use this functionality to ensure they identify certificates on their websites that will be affected.

Our Recommended Plan of Action

To reduce the amount of disruption and effort required, we recommend the following action:

If your certificate expires BEFORE December 2017

We recommend you renew (instead of reissue) your certificates prior to December. This will allow you to have a trusted certificate in place through the holiday season up until Oct 2018 when all certificate files from Symantec’s existing roots will have an issue and need to be replaced on your website. Alternately, switch over to certificates from a different Certifying Authority (CA) such as Comodo to avoid any issues.

If your certificate expires DURING December

Symantec hopes to have their partner CA issuing certificates on December 1st (a Friday). If you can wait to reissue and replace your certificates until after this occurs, you will most-likely never need to replace your certificate files on your website until their natural expiration date.

However, note that delays may occur which require Symantec to miss the December 1st estimate, and there may be an unusually high volume of issuance at that time which could cause technical issues.

If that is the case, if you are close to the expiration of your current certificate you may risk outages. ‘Holiday freezes’ may also prevent you from replacing certificates during this month.

If you do need to replace your certificate before Symantec’s partner CA is ready to issue certificates, you will need to replace the certificate files again before Chrome 70’s release (expected late Oct 2018).

Alternately, you can switch over to certificates from a different CA such as Comodo to avoid any issues.

If your certificate expires AFTER December 31st, 2017

We recommend you wait to replace any of your certificates until Symantec’s partner CA begins issuing certificates (expected December 1st, 2017). After this date you can begin reissuing and replacing certificates as needed. This way you need to replace your certificate files only one time.

Certificates issued by Symantec’s partner CA will not be affected by Chrome’s changes and will not need to be replaced until their natural expiration.

Special Case: If your certificate was issued BEFORE June 1st, 2016 and expires AFTER April 17th, 2018

You fall into a special case. Your certificate must be reissued and files replaced BEFORE the release of Chrome 66, which is expected April 17th, 2018 in order to remain trusted in Chrome.

However, you should wait until after December 1st 2017 to reissue your certificates. On this date, Symantec’s partner CA will begin issuing certificates. By waiting until this date you will only need to replace your certificate one time.

If you reissue before Symantec’s partner CA is available, your certificate will come from one of Symantec’s current root certificates and will need to be replaced against before October 2018.

UPDATE: Mozilla Firefox will follow more or less the same timelines as Google Chrome.

 

let's encrypt logo

Let’s Encrypt certificate or a commercial SSL – the final verdict

let's encrypt logo

Let's Encrypt background info

Introduced in 2016, Let's Encrypt represents a free open certificate authority (CA), which provides website owners with digital certificates for enabling HTTPS (SSL/TLS).

It was launched by the Internet Security Research Group (ISRG), a public-benefit organization sponsored by the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and Cisco Systems, with the aim of making HTTPS encryption both affordable and user-friendly.

Their main goal is to create a more secure, privacy-driven web.

Continue reading

broken https connection

GlobalSign Certificates Un-Trusted

GlobalSign Certificates Revoked

Users around the world have had trouble accessing some HTTPS-based websites due to a certificate revocation testing error at GlobalSign. Websites affected included those of the Financial Times, Guardian, Wikipedia, and Dropbox.

Most sites these days are installing SSL/TLS certificates to benefit from various options afforded by HTTPS connections. However, websites secured by GlobalSign had the opposite experience thanks to a goof-up by the Certificate Authority.

globalsign error shows wikipedia insecure

The Goof-up...

GlobalSign inadvertently triggered the revocation of its intermediary certificates while updating a special cross-certificate. The revocation of such a certificate was interpreted by some browsers and systems also as a revocation of the intermediate certificates that chained back to it. This broke the chain of trust and ultimately canceled SSL/TLS certificates issued to it's customers.

It could take until the beginning of next week for the accidentally revoked certificates to be corrected, leaving visitors unable to easily read their favorite webpages. Sales at affected e-commerce websites using GlobalSign SSL/TLS certificates will also be badly impacted.

Are you affected?

The problem will not hit everyone due to the wide range of caching and revocation policies employed by different browsers, apps and other software. If your mobile app or web browser hasn't picked up the revocation yet, it should be fine.

GlobalSign has released a full incident report to provide full disclosure on the Certificate Revocation Issue.

Our SSL certificate deals start as low as $6.00 per year!!

Due to our large-scale sourcing relationship from top global SSL brands such as COMODO, RapidSSL, GeoTrust and Thawte, you get the best SSL certificates at the best prices!

All certificates purchased via iWebz will have the best SHA2 256-bit security encryption with 2048-bit key length, and also improve your website's Google search result ranking.

getstarted_b

Visit our SSL Certificate store

SSL Certificate Product Recommendations

Banned country list for SSL now includes Zimbabwe

ssl connection not secure

Websites from Zimbabwe are now banned by the Certification Authority Browser forum from receiving Extended Validation (EV), Organization Validation (OV), and Domain Validation (DV) SSL certificates.

Countries are usually banned or restricted when the country is experiencing a period of political unrest and the security of information traveling in and out may be compromised by the government or an outside entity.

The banned country list for SSL certificates comprises of Afghanistan, Cote d’Ivoire, Cuba, Eritrea, Guinea, Iraq, Islamic Republic of Iran, Democratic People’s Republic of Korea, Liberia, Myanmar, Rwanda, Sudan, Sierra Leone, South Sudan, Syrian Arab Republic, and Zimbabwe.

The restrictions do not affect websites that already have SSL certificates, but any websites applying for new certificates are being denied.

 

HTTP websites to be discouraged in Google Chrome

Not Secure indicator for HTTP websites in Google Chrome

The release of Google Chrome 53 saw the first phase implemented in Google's long-term vision of HTTPS becoming an Internet standard. This comes on the back of a major milestone noted via Chrome browser usage.

More than half of Chrome desktop page loads are now served over HTTPS.

Not Secure treatment for HTTP

For now, Chrome is marking all non-secure sites with an information radial that further explains a website has no encryption. This will go a step further starting in January of 2017 for websites with password or credit card fields.

chrome treatment of HTTP pages as not secure

Eventually, every single website without SSL will have a red warning symbol with "Not Secure" next to it within the Chrome environment.

HTTP websites not secure in Google Chrome

Click the link to hear it straight from Google.

let's encrypt logo

Let’s Encrypt Free SSL Certificates – What You Need To Know

About Let’s Encrypt

let's encrypt logoLet’s Encrypt is a new non-profit Certificate Authority (CA) sponsored and founded by industry advocates; such as, the Electronic Frontier Foundation (EFF), Mozilla, and the Internet Security Research Group (ISRG). Let’s Encrypt offers free SSL certificates.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Let’s Encrypt Will Have Major Limitations

Unfortunately, Let’s Encrypt will have some very notable limitations due to their limited funding and infrastructure. Because they will only be offering free certificates, they will only be able to provide automated, basic encryption only/Domain Validated (DV) SSL certificates with no other frills that typically come with SSL certificates.

Other observations that undermine Let’s Encrypt

Since the SSL certificates are free of cost and open to anyone, malvertisers and other bad guys can get them for all their websites. This lets them encrypt data transferred to their servers making detection by good guys more difficult. This undermines the trust factor of Let's Encrypt and could lead to their certificates being derecognised in future.

Unlike brands that have been around for longer such as COMODO, Thawte, GeoTrust, Symantec, etc., Let's Encrypt intermediate CA certificates (required for recognising website certificates) are not available on older versions of operating systems such as Windows XP. Users on those systems will not have a secure connection and so will not transact.

Years of Experience Taught us That Users Need More than a Free Certificate

We have worked with many customers and if our experience has taught us anything, it’s that SSL can be confusing, and many people need help. Knowing what type of certificate you need and how you will get it successfully working on your network are the most common and most serious questions our customers have.

Let’s Encrypt’s one-size-fits-all approach isn’t perfect. A personal blog has different needs than a corporate homepage. We believe there is a perfect solution for everyone: personal attention and attentive support behind globally recognized brands. A free service cannot afford to give that to their non-paying customer.

Our Assessment of Let’s Encrypt

We do not think Let’s Encrypt should be a viable option for commercial use of any kind, you should continue to buy from established Certificate Authorities (CAs) such as Symantec, Comodo, GeoTrust, RapidSSL and Thawte. Especially since the pricing for basic encryption/Domain Validated (DV) certificates are available for extremely low and affordable rates and still carry a strong brand name recognized by most web users.