Category: Cyber Security

What is Domain Masking: Everything you need to know about it 1

What is Domain Masking: Everything you need to know about it

What is Domain Masking: Everything you need to know about it

Domain masking, also known as URL masking or domain cloaking, is a technique used to redirect visitors from a domain or subdomain to another website, while keeping the original domain or subdomain in the URL bar. The main purpose of domain masking is to make a website appear to be hosted on a different domain, without changing the underlying website’s URL.

What is Domain Masking: Everything you need to know about it 2

For instance, if your brand or company owns the domain “example.com” and wants to redirect visitors to the main website, which is located at “mainwebsite.com”, they can set up a redirect on the server for “example.com” to “mainwebsite.com”. 

When a visitor types in “example.com” in their browser, they will be redirected to “mainwebsite.com”, but the URL in the browser will still show “example.com”. This way, if someone creates a phishing website using your brand’s name, visitors will be directed to your legitimate website instead.

Why Domain Masking: 3 reasons of using and 1 malicious usage to be aware of

What is Domain Masking: Everything you need to know about it 3

In today’s digital age, protecting your brand’s reputation is more important than ever. With the rise of phishing scams and malicious content, it’s crucial to take steps to ensure that your brand is not associated with anything that could harm its reputation. By implementing domain masking, you can protect your brand from being associated with potentially harmful or malicious content.

1. Protect your brand’s reputation

One of the main reasons why people use domain masking is to protect their brand digitally. For example, if a company owns several different domain names, they may want to redirect visitors who type in one of the unused domain names to their main website. This can prevent confusion and ensure that visitors always land on the correct website. 

Additionally, it can also be used to hide affiliate links, so that they do not appear to be affiliate links, but instead appear to be part of the website’s main domain.

2. Protecting Privacy

The next use case of domain masking is to protect the privacy of the website owner. Some website owners may not want to reveal their personal or business information on the WHOIS record of their domain name, as it can be accessed by anyone. By using domain masking, the personal or business information is hidden and replaced with the information of the domain masking service provider. This can protect the privacy of the website owner and prevent unwanted contact or spam.

3. Domain Parking

Another use of domain masking is for domain parking. Domain parking is when a domain name is registered, but no website is built on it yet. Instead, the domain is pointed to a “parking page” which may show ads and links related to the domain name. This can be a way for the domain name owner to make some income, as visitors may click on the ads and links on the parking page. By using domain masking, the parking page can be made to appear as if it is part of the domain name, rather than a separate page.

4. Malicious Use

What is Domain Masking: Everything you need to know about it 4

However, it’s important to note that domain masking can also be used for malicious purposes. Some spammers or scammers may use domain masking to hide the true origin of a website or to make a website appear more trustworthy than it actually is. 

For this reason, it is important to be cautious when clicking on links from websites that use domain masking and to always verify the authenticity of a website before entering any personal or financial information.

How does Domain Masking work?

This can be done using a redirect in the website’s server or by using an iframe.

Redirects

This is done by configuring the server to redirect all requests for a specific domain or subdomain to another website. For example, a company can redirect visitors from “example.com” to their main website “mainwebsite.com” while keeping the URL as “example.com”

Iframes

Another method to implement domain masking is through the use of an iframe, an HTML element that allows a website to embed another website within its own webpage, while keeping the original domain or subdomain in the URL bar. This method is commonly used by domain parking providers to show ads and links related to the parked domain.

Domain Name Registrar

In most cases, you can use domain masking by contacting your domain registrar and requesting for domain masking. They will provide you with the necessary steps to set it up and point your domain to the desired web page.

What company/ organization needs a Domain Masking?

There are a variety of companies and organizations that may need to use domain masking. Some examples include:

  • E-Commerce companies may want to use domain masking to redirect customers to a specific landing page or product page, while keeping the original domain or subdomain in the URL bar.
  • Banks & other Financial institutions may want to use domain masking to protect their customers from phishing scams and ensure that they are always directed to the institution’s legitimate website.
  • Non-profit organizations (NPO) may want to use domain masking to redirect visitors to a specific campaign or donation page, while keeping the original domain or subdomain in the URL bar.
  • Government agencies may use domain masking to protect citizens from phishing scams and ensure that they are always directed to the agency’s legitimate website.
  • Educational institutions may want to use domain masking to redirect students and faculty to specific portals or resources, while keeping the original domain or subdomain in the URL bar.
  • Marketing agencies may want to use domain masking to redirect visitors to a specific landing page or campaign, while keeping the original domain or subdomain in the URL bar.
  • IT companies may want to use domain masking to redirect visitors to specific services or resources, while keeping the original domain or subdomain in the URL bar.

These are just a few examples of companies and organizations that may need to use domain masking. Ultimately, any company or organization that wants to protect its brand’s reputation and ensure that its visitors are always directed to its legitimate website may want to consider using domain masking.

In summary, it is a useful tool for protecting your brand, domain parking, protecting privacy. It’s important to be cautious when clicking on links from websites that use domain masking and to always verify the authenticity of a website before entering any personal or financial information.

Author: Liaw Chan Kang

What is Digital Trust: Why It Matters 5

What is Digital Trust: Why It Matters

Introduction

Digital trust is a critical component of our online lives. With the ever-increasing presence of technology and the internet, we rely on digital platforms and devices for nearly everything, from communication and entertainment to banking and shopping.

However, as our dependence on technology grows, so do concerns about privacy, security, and the credibility of the information we find online. In this blog post, we will dive into the concept of digital trust and why it is so essential in today’s digital world.

What is Digital Trust?

Digital trust refers to the confidence and belief that individuals have in the technology, platforms, and information they interact with online. It encompasses various aspects, including data privacy, cybersecurity, and the credibility of information.

Digital trust is important as we rely more on technology and the internet for various aspects of our lives, it is crucial that we can trust that our personal information is protected and that the information we receive is accurate and reliable.

Without digital trust, individuals may be hesitant to use online platforms and services, and it can lead to a lack of confidence in the digital economy. Building and maintaining digital trust is essential for ensuring a safe and secure digital environment for all users.

Understanding Digital Trust

Trust is the belief in the reliability, truth, ability, or strength of someone or something. In the digital world, trust refers to the confidence we have in the technology and platforms we use, as well as the information and people we interact with online. Digital trust encompasses a wide range of issues, including data privacy, cybersecurity, and the credibility of information.

1. Data Privacy Concerns

What is Digital Trust: Why It Matters 6

One of the most significant concerns in today’s digital world is data privacy. With the rise of social media and other online platforms, we share more personal information than ever before. This information can include everything from our location and browsing habits to our financial information and personal contacts.

Unfortunately, not all companies and organizations handle this information responsibly, and data breaches are unfortunately common. To build digital trust, it’s vital that companies and organizations are transparent about how they collect and use our personal information and take steps to protect it from hackers and other malicious attacks.

2. Cybersecurity Risks

What is Digital Trust: Why It Matters 7

Cybersecurity is another vital aspect of digital trust. As we rely more on technology, our vulnerability to cyber-attacks increases. These attacks can take many forms, from phishing scams and malware to more sophisticated attacks like ransomware.

To build digital trust, it’s essential that companies and organizations take steps to protect their systems and networks from these threats. This includes implementing robust security measures, such as firewalls and encryption, and providing regular security updates to their products and services.

3. The Credibility of Information

What is Digital Trust: Why It Matters 8

The credibility of information is also a key aspect of digital trust. With the rise of social media and other online platforms, it is effortless for misinformation and fake news to spread. This can lead to confusion and mistrust and can even have severe real-world consequences.

To build digital trust, it’s vital that companies and organizations take steps to ensure the accuracy and credibility of the information they share. This includes fact-checking information before it’s shared and providing context and background information to help readers understand the information they’re reading.

Challenges of Digital Trust

One of the biggest challenges in building digital trust is the complexity of the issue. As technology evolves and new platforms and devices emerge, the risks and challenges associated with digital trust also change. For example, the rise of the Internet of Things (IoT) has created new security challenges, as these devices often have limited security capabilities and can be hacked.

Additionally, the use of artificial intelligence (AI) and machine learning (ML) is also raising concerns about the potential for these technologies to be used for malicious purposes, such as spreading misinformation or invading privacy.

Building Digital Trust

Through education and awareness

One of the effective ways to build digital trust is through education and awareness. As individuals, it is important that we take steps to protect our own personal information and to be aware of the risks associated with using technology.

This includes being cautious about sharing personal information online, using strong passwords, and keeping our software and devices updated. Additionally, it is important that we are critical of the information we find online, and that we fact-check information before sharing it with others.

Government roles in building Digital Trust

What is Digital Trust: Why It Matters 9

The role of government and regulatory bodies in building digital trust is also an important consideration. Governments have a responsibility to protect citizens from cyber threats and to ensure that companies and organizations are transparent about how they collect and use personal information. For instance by creating and enforcing laws and regulations to protect critical infrastructure and sensitive information.

In some countries, they also have a dedicated Cybersecurity agency that works to protect the country’s infrastructure and citizens from cyber threats. Some examples include:

These are just a few examples, and the specific agencies responsible for protecting the country’s infrastructure and citizens from cyber threats by providing guidance, resources, and incident response capabilities. They also work with private sector organizations and international partners to improve the overall cybersecurity posture of the country.

Corporate Governance in building Digital Trust

What is Digital Trust: Why It Matters 10

Corporate governance also plays a key role in building digital trust. Companies have a responsibility to protect their customers’ personal information and to be transparent about how they collect and use it. This includes implementing robust security measures, such as firewalls, privacy policy, data encryption, and providing regular security updates to their products and services.

Moreover, companies should have a clear governance structure that includes a board of directors and a management team responsible for ensuring compliance with laws and regulations related to data privacy and cybersecurity. This includes regular risk assessments and incident response plans, as well as regular training for employees on data privacy and cybersecurity best practices.

Furthermore, companies should also have a system of internal controls in place to ensure the integrity of their data and to detect and prevent data breaches. These internal controls may include regular monitoring of network activity and user access, as well as regular testing of security systems and procedures.

WebNIC Cybersecurity products

There are many different cybersecurity products available on the market, each designed to protect against specific types of threats. Below are a few examples of popular cybersecurity products WebNIC are offering:

AdultBlock

The AdultBlock service blocks all unauthorized domain registrations of the submitted term in all four adult-themed TLDs – .adult, .porn, .sex, and .xxx.

Trademark Clearinghouse (TMCH)

Protect Your Trademark Rights for All New gTLDs Expansion

Document Signing Certificates

Document signing is the action of adding a trusted digital signature to a document. During the process, a PKI-based digital certificate issued by a certificate authority (CA) generates the digital signature. The document owner can then easily use it to sign any documents with just a simple click!

SECTIGO WEB

Automate and simplify web security solutions to deliver an all-in-one and comprehensive web security service to your customers!

Website Hijack Protection

An extra layer of protection from “Domain Hijacking”. The lock blocks unauthorized access for changes to update, delete or transfer. Also, it would against unauthorized modifications from unauthorized person.

Verified Mark Certificates

A Verified Mark Certificate (VMC) is a digital certificate issued by certificate authority that verifies the ownership of a logo. Before getting a VMC, the logo must be a registered trademark.

SSL Certificates

SSL certificates provide improved security for a business owner’s website by encrypting data communication between Internet browsers and servers. The little padlock or the green address bar which shows https ensures the authenticity of the website owner. It provides not only a secure connection, but also more confidence for website users.

These are just a few examples of the many cybersecurity products available, and the specific products and solutions used will vary depending on an organization’s needs and the types of threats they are trying to protect against.

Conclusion

In summary, digital trust is a vital component of our online lives. It encompasses a wide range of issues, including data privacy, cybersecurity, and the credibility of information. As we rely more on technology and the internet, it’s essential that we take steps to build and maintain digital trust.

This includes being transparent about how our personal information is collected and used, implementing robust security measures, and ensuring the credibility of the information we share. By taking these steps, we can create a safer and more trustworthy digital world for everyone.

Author: Liaw Chan Kang

What is Public Key Infrastructure, PKI 11

What is Public Key Infrastructure, PKI

What is Public Key Infrastructure, PKI

Introduction

Public Key Infrastructure (PKI) is a system of digital certificates, cryptographic keys, and trusted third-party authorities that are used to secure electronic communications and transactions. PKI uses a combination of private and public key encryption to secure data and ensure that only authorized parties can access it. 

PKI also includes a system of trusted third-party certificate authorities that issue and manage digital certificates, which are used to authenticate the identity of the parties involved in a transaction.

What is Public Key Infrastructure, PKI 12

How does PKI work?

PKI works by using a pair of encryption keys, one public and one private, to secure data. The private key is kept secret by the owner and is used to decrypt data that was encrypted with the corresponding public key. The public key, on the other hand, can be shared with others and is used to encrypt data. The process of encrypting and decrypting data with these keys ensures that only authorized parties can access it.

PKI is an essential tool for keeping our digital lives secure, and it is used in a wide range of applications beyond just securing website communications. From securing email and financial transactions to protecting our personal privacy through IoT devices, PKI is a vital component of our digital security infrastructure.

What is Public Key Infrastructure, PKI 13

Use Cases of Public Key Infrastructure (PKI)

Refers and credit to a blogpost from Digicert; Digital signatures, encrypted and authenticated email communications, and physical and virtual smart card authentication are some of the use cases for Public Key Infrastructure (PKI).

We had summarize what we had studied from Digicert blogpost – “3 SURPRISING USES OF PKI IN BIG COMPANIES AND HOW TO ENSURE THEY ARE ALL SECURE

Digital signatures:

PKI allows for digital signing of important documents, such as contracts, to ensure that the signature is genuine, the document has not been tampered with, and that only authorized parties can access it. Digital signature platforms that use PKI should allow for document authorship, data/content integrity, certificate and signing management, and the confirmation of the identity of the sender.

Encrypted and authenticated email communications:

PKI can be used to encrypt and authenticate email communications, ensuring that the contents of the email are private and that the recipient can verify that it came from the sender. This is particularly important for organizations that handle sensitive personal information, as it ensures compliance with regulations like the EU’s GDPR or California’s CCPA.

Physical and virtual smart card authentication:

Smart cards are becoming more common across various industries, such as healthcare, where they can help reduce data breaches and fraud, provide better data capture, and place authentication and data access in the hands of employees themselves. PKI can be used to provide a secure, chip-based system that can be stored on an employee’s mobile device, reducing the likelihood of patient data leakage.

Other uses of Public Key Infrastructure (PKI)

Secure Email: PKI is often used to secure email communication, by providing digital signatures and encryption for messages. This ensures that only the intended recipient can read the email, and that the sender is who they claim to be.

Banking and Financial Transactions: PKI is also used in the banking and finance industry to secure online transactions and protect sensitive financial information. Banks and other financial institutions use PKI to authenticate customers and to ensure that transactions are secure and tamper-proof.

Internet of Things (IoT) devices: PKI is increasingly being used to secure IoT devices, such as smart home devices, connected cars, and medical devices. These devices often collect and transmit sensitive personal information, so using PKI to secure the communication and control access to these devices is critical to protect individuals’ privacy.

What is Public Key Infrastructure, PKI 14

Do I need Public Key Infrastructure?

PKI is used by a wide range of organizations and individuals to secure electronic communications and transactions. Some examples of who may need PKI include:

Businesses: Companies that handle sensitive information, such as financial data or personal information, may use PKI to secure their communications and transactions. This can include online shopping websites, banks, and other financial institutions.

Government agencies: PKI is often used by government agencies to secure communications and transactions that involve sensitive information. This can include things like tax returns, social security numbers, and other personal information.

Healthcare organizations: PKI is used by healthcare organizations to secure sensitive medical information and protect patient privacy. This can include things like electronic health records, medical device communications, and telemedicine.

IoT device manufacturers: PKI can be used to secure Internet of Things (IoT) devices, such as smart home devices and connected cars. This is important because these devices often collect and transmit sensitive personal information.

Individuals: PKI can be used by individuals to secure their online communications and transactions, such as online banking, email, and social media.

Overall, PKI is used by a wide range of organizations and individuals to secure electronic communications and transactions. It plays a vital role in keeping our digital lives secure by ensuring the authenticity and confidentiality of the data exchanged between parties.

What is Public Key Infrastructure, PKI 15

Conclusion

In summary, PKI is a security system that uses digital certificates, encryption keys, and trusted third-party authorities to secure electronic communications and transactions. It plays a vital role in keeping our digital lives secure by ensuring the authenticity and confidentiality of the data exchanged between parties.

Author: Chan Kang

Who is domain name registrar 16

Who is domain name registrar

Very often we received question from the public and from our own social media platforms regarding the question “Who is domain name registrar”. On this blog post, WebNIC Academy would like to describe attentively on Domain Name Registrar.

Who is domain name registrar

A domain name registrar is a company or organization that is responsible for managing the registration of domain names. These companies provide a service that allows individuals and organizations to reserve a specific domain name, such as “example.com” for their own use. WebNIC is a good example of domain name registrar.

A generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry must accredit a domain name registrar. A registrar follows the rules set out by the designated domain name registries when conducting business. 

Read more about gTLD and ccTLD here

Who is domain name registrar 17

What does a domain registrar do?

When you register a domain name, you are essentially reserving the right to use that specific combination of letters and numbers as the address for your website. This allows you to create a unique and easily memorable web address for your business or personal website.

Domain name registrars play a crucial role in the functioning of the internet. Without them, it would be nearly impossible for individuals and organizations to secure the domain names that they want to use for their websites.

Who is domain name registrar 18

Choosing a Domain Name Registrar

There are many different domain name registrars to choose from, each with their own set of features and pricing structures. Some of the most well-known registrars include GoDaddy, Namecheap, and WebNIC.

When selecting a domain name registrar, it is important to consider a few key factors. First, you should consider the reputation of the registrar. Look for a company that has a track record of providing reliable service and helping their customers secure the domain names that they want.

You should also consider the pricing of the registrar’s services. While it is important to find a registrar that offers competitive pricing, be wary of any company that seems too good to be true. Cheap prices may come with hidden fees or subpar service.

Who is domain name registrar 19

Domain Name Registrar Additional Services

Finally, you should consider the additional features that the registrar offers. Some registrars offer additional services such as cloud solution, website hosting, email hosting, and e-security features. These features can be helpful, user should be to consider whether you actually need them before buying these additional services.

Conclusion

In summary, a domain name registrar is a company that helps individuals and organizations reserve unique domain names for their websites. When selecting a registrar, be sure to consider the reputation, pricing, and additional features of the company. With the right registrar, you can secure the perfect domain name for your website.

Who is domain name registrar 20

About WebNIC

WebNIC operates a digital reseller platform covering primarily domain name registration for over 700 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected]info.webnic.cc.

Securing your Email with<br>Digital Trust 21

Securing your Email with
Digital Trust

Securing your Email with Digital Trust

With phishing attacks now commonplace, corporate information security programs routinely train on how to avoid email compromise. However, the frequency of email attacks has dramatically accelerated over the last couple of years. In their most recent quarterly report, the
Anti-Phishing Working Group reported the highest level of phishing activity on record: four times the number of attacks since early 2020. Other organizations reported staggering increases in suspicious emails targeting remote workers at the start of the pandemic, taking advantage of changing work habits.

Securing your Email with<br>Digital Trust 22

This changing landscape raises the question: how do you enable email recipients to be certain of sender identity and email content integrity? A well thought out digital trust strategy can inject this important layer of security into email communications, making it easy for email recipients to readily differentiate between trusted and suspicious communication.

3 steps on how to ensure email recipients' sender and content integrity?

Step 1: Establish trust

The foundation of trust in email security is the S/MIME digital certificate. S/MIME stands for Secure/Multipurpose Internet Mail Extension, an industry standard for email signature and encryption supported by most corporate email clients. S/MIME certificates enable users to digitally sign emails, verifying the authenticity of the sender and indicating that the email contents have not been altered. S/MIME digital certificates can also be used to encrypt emails, protecting email communication containing sensitive information from data interception.

Securing your Email with<br>Digital Trust 23

Step 2: Manage Trust

The next step to consider is the management of S/MIME certificates within an organization. IT leaders note that when measures that improve security are optional or dependent on actions taken by a non-technical corporate user, adoption can be a challenge. Companies can solve this problem by automating the provisioning of digital certificates such as S/MIME. To accomplish this, companies can leverage PKI management solutions that integrate directly with corporate directory services to automate the installation, renewal and revocation of certificates. This reduces the burden on IT technical support, ensures adherence to preferred security measures or corporate policy, and eliminates any provisioning or revocation gaps that can impact productivity or security.

When S/MIME is used for encryption, there are additional measures needed that benefit from the automation and integration capabilities of PKI management solutions. For example, when using S/MIME for encryption, users need to hold the same private key in the multiple devices where they receive email to decrypt communications. Otherwise, they will be limited to reading email only on the desktop or device where the key is present. Additionally, end-users need to preserve key histories to retrieve email records should laptops or other hardware crash or be compromised. IT security teams managing the PKI infrastructure should support key escrow and recovery to support users who need to retrieve keys or to fulfill legal requests for email histories.

PKI management solutions that can integrate with Unified Endpoint Management (UEM) solutions such as Microsoft Endpoint Manager and automatically manage key escrow simplify these aspects of certificate lifecycle management.

Encryption may be required in industries where sensitive data is transmitted by email, such as financial services firms communicating personal financial data or healthcare companies communicating personal health information. It may also be required by corporate policy for specific types of internal or external communications to protect data confidentiality or intellectual property.

Best practices in S/MIME management suggest that when encryption is required, separate certificates be used for digital signatures and for encryption. This is because the key escrow requirements of encryption can compromise the non-repudiation characteristics of a digitally signed email. Companies can also decide whether their business needs require encryption at the individual user level or whether it is preferable to encrypt communications at the point of an email gateway.

Step 3: Extend trust

Digital trust architects can next consider whether they need to secure email within an organization or between organizations. If email communication is staying within the corporate domain, IT professionals can use private S/MIME certificates chaining up to a private CA or intermediate.

If companies are securing email sent outside of corporate boundaries, then public S/MIME certificates must be used that chain up to a publicly trusted root such as DigiCert. Companies can also consider setting up a public dedicated intermediate CA that can be branded with their organization name. The ICA can chain up to the publicly trusted root but will allow certificates to inherit the ICA branding of the organization.

Securing your Email with<br>Digital Trust 24

DMARC & VMC

Securing your Email with<br>Digital Trust 25

Image source from digicert.com

Companies can also adopt other measures to combat phishing within an organization, such as implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). DMARC is an email authentication, policy and reporting protocol that helps prevent organizations against phishing.

Companies that have adopted DMARC can use Verified Mark Certificates (VMCs) to display a verified organization logo alongside emails. VMCs validate that a company has implemented DMARC and that the logo being displayed is a trademarked entity of the organization. Email messages with brand logos indicate that the sender has met the strong security and authentication requirements of DMARC and VMCs.

The presence of a brand logo increases consumer trust in the email being sent and differentiates it from emails sent without a brand logo indicator. Some email clients, such as Apple, are going one step further and including “digitally certified” in VMC-related email headers.

Over time, the widespread adoption of VMCs can be another vehicle for enabling email recipients to easily distinguish digitally certified emails from business email imposters.

DNS traffic monitoring

Finally, companies can look to their DNS service as another key component of their email trust initiatives. DNS traffic is a rich source of data that can be analyzed using machine learning to show what is and isn’t normal for a domain. Traffic anomaly detection can detect and predict suspicious or unusual activity, enabling IT professionals to thwart directed attacks.

Securing your Email with<br>Digital Trust 26

Image source from freepik

With email attacks on the rise, corporate training programs may be insufficient by themselves to enable employees to adequately protect their organization’s confidential or sensitive data or their personal credentials. And with phishing strategies becoming more sophisticated, it can be increasingly difficult for consumers to know when they are interacting with a trusted brand or an email imposter. Implementing a strong foundation of digital trust in email communication can help prevent credentials, sensitive data, or financial compromise. That is where digital trust meets the real world.

Securing your Email with<br>Digital Trust 27

About WebNIC

WebNIC operates a digital reseller platform covering primarily domain name registration for over 700 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected]info.webnic.cc.

(Source by: https://www.digicert.com/blog/securing-digital-trust-in-email-communications)

Building Confidence In Secure Elections With Digital Trust 28

Building Confidence In Secure Elections With Digital Trust

Building Confidence In Secure Elections With Digital Trust 29

Trust in national election results is the backbone of a democratic society. At the heart of that trust is citizen confidence in the integrity of the election processes, including authenticity of the ballots, voter identification, ballot counting and certification of the outcome. To build this trust, citizens need to know that the data and processes on which an election outcome is based have not been intercepted, altered or hacked.

In some cases, citizens may be concerned about election interference, such as when phony ballot boxes were deployed in several California counties in 2020. In other cases, citizens experienced the consequences of flawed ballot design, which occurred during the 2000 U.S. national election and forced seemingly subjective analysis of partially perforated ballots by election officials to determine intent of the voter. It was during that national election that the world became familiar with the term “hanging chad” and the concept of what degree of ballot perforation signaled voter intent.

Securing election processes with digital trust is one mechanism for providing transparency and building citizen confidence in election results. It is a meaningful place where digital trust intersects with real world outcomes.

Digital trust has its roots in public key infrastructure (PKI), and is based on a set of technologies and processes that govern the issuance and use of digital certificates to verify identity, encrypt communication and ensure integrity of data being received (see Building Blocks of Digital Trust). A widely recognized use of digital certificates is securing websites. Websites display a padlock in the navigation toolbar to signal that they are secured by a digital certificate: the website identity has been verified, that communications with a website visitor are encrypted and information being viewed has not been altered. This combination of identity, encryption and data integrity provides web visitors with digital trust: the confidence that they can move freely around the internet.

Let’s now take a look at how the confidence that results from digital trust can be built into election processes:

Building Confidence In Secure Elections With Digital Trust 30

1. Signaling ballot authenticity

The ballot is the key instrument for recording a voter’s preferences. For the most part, paper processes work. However, mailed ballots can be intercepted, replaced, misplaced, lost in the mail. A digital ballot can be signed with a government eSeal that, like the website padlock, signals to the voter that the digital document is authentically from the government (or issuing body), and that it has not been altered while in transit.

Building Confidence In Secure Elections With Digital Trust 31

2. Secured voter and poll worker identity

Secured identity is the next step in establishing a chain of trust. Poll workers and/or voters can establish a unique digital identity backed by a digital certificate. Secured digital identities are similar to passports, in electronic form. They document that an individual has demonstrated credentials that have been verified through preset steps. Digital identities can be used for a number of purposes, including authentication to applications, to corporate networks, to government services, and for signing documents.

Building Confidence In Secure Elections With Digital Trust 32

3. Digitally signed ballots and/or ballot counts

Digital signatures, in turn, cryptographically bind a digital identity to a document. For a voter who is digitally signing a ballot, digital signatures attest to signer identity and to signature authorization. They further verify that the document has not been altered since signature and record the timestamp of signature. In many ways, digital signatures have the potential to remove attack surfaces (and human error) that can be present in paper processes: identities cannot be manipulated, ballots cannot be intercepted, attempts to alter the document are traceable. And with digital signatures, there is no ambiguity of intent that is present with the hanging chad.

Digital signatures, in this way, can establish a chain of trust: they indicate that the ballot signed was an an authorized ballot, that the voter is the signer, that the voter is authorizing their vote, that they voted within the voting window and that their vote has not been altered. Similarly, poll workers can digitally sign ballot counts, cryptographically binding their identity to the count results. In this way, a chain of trust can be established for poll reporting.

Building Confidence In Secure Elections With Digital Trust 33

From paper to digital: it’s about more than productivity

Digital transformation often speaks to productivity gains made from moving from face-to-face, paper-based processes to digital processes. However, digital trust initiatives can deliver more than just productivity. They can increase the overall level of trust in processes by removing the possibility for breaks in security. With accurate ballots, cryptographically bound to citizens with verified identities, we can be sure that the right person signed an authorized ballot, that they have authorized their signature and that the counts associated with the votes have in turn been appropriately validated. This creates an indisputable election outcome.

This is where digital trust meets the real world.

Building Confidence In Secure Elections With Digital Trust 34

About WebNIC​

WebNIC operates a digital reseller platform covering primarily domain name registration for over 700 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

(Source by: https://www.digicert.com/blog/secure-elections-with-digital-trust)
DigiCert Verified Mark Certificate (VMC) - What, Why & How? 35

DigiCert Verified Mark Certificate (VMC) – What, Why & How?

What is DigiCert Verified Mark Certificate (VMC)?

VMC is a digital certificate that verifies an organisation’s ownership of a logo. It is a sign of authenticity and having it means your organisation has been verified to be the legal owner of your brand logo.

It is required in the implementation of Brand Indicators for Message Identification (BIMI), a relatively new email specification standard in which the email industry is moving towards. In addition, it also helps companies to strengthen and protect their brand power in one of the most important communication tools of our era, emails.

Why is that so? See the difference in the way emails are displayed below and you will understand why.

DigiCert Verified Mark Certificate (VMC) - What, Why & How? 36

The left image is without VMC, whereas
the right image is with VMC implemented.

To have your logo displaying in email inboxes, have you ever wondered how to do it? It is not as simple as changing the profile picture. Instead, you need to correctly implement BIMI to achieve it. After implementation, if the email clients are able to support BIMI, your logo will be rendered next to the “sender” field. End users will see your mark, which means your organisation has been authenticated, even before they start to read your message.

What is BIMI?

BIMI is a collective effort from various email service provider brands such as Google, Mailchimp, Yahoo and many more to define an emerging email specification. It is an initiative to move the email industry towards a secured and consistent email experience, for both businesses and consumers alike.

It is directly connected to strict requirements involving email authentication and advance technical knowledge, especially regarding your DMARC settings. The objective behind BIMI is to encourage businesses to use stronger email authentication, which is more secured and safer for everyone.

DigiCert Verified Mark Certificate (VMC) - What, Why & How? 37

 

Why do you need VMC?

Email communication is moving to the new specification BIMI, which enables organisations to display their verified brand logo in customer’s inbox. The steps to implement BIMI will require you to have a VMC.

However, only some organisations are recognised to act as authorities to verify brand logo in which they will issue a VMC after completing the verification. DigiCert, a leading Certificate Authority (CA) in the world, is one of them and they are known as the pioneer of VMC technology.

VMCs help customers to see a verified organisation’s logo in their inbox, before they even open the email. They help distinguish messages from verified brands among the many emails in the inbox. They also promote DMARC adoption, encouraging brands to take email protection seriously to protect against attacks like spoofing and impersonation.

In addition, they boost the authenticity, recognisability and consistency of a brand experience from email to conversion. They also increase email deliverability, open rates and engagement rates. Displaying a verified brand logo will help drive millions of new brand impressions, as well as controls brand consistency at scale.

DigiCert Verified Mark Certificate (VMC) - What, Why & How? 38

How to implement VMC for BIMI?

To qualify for a VMC certificate, there are a few requirements.

1. Your domains must be fully DMARC compliant. DMARC combats email spoofing and phishing. If you require assistance in setting DMARC, contact us and our team will assist you.
2. Your organization’s logo must be a legally registered trademark. Supported trademark offices include:

  • United States Patent and Trademark Office (USPTO)
  • Canadian Intellectual Property Office
  • European Union Intellectual Property Office
  • UK Intellectual Property Office
  • Deutsches Patent- und Markenamt
  • Japan Trademark Office
  • Spanish Patent and Trademark Office O.A.
  • IP Australia
  • Intellectual Property India
  • Korean Intellectual Property Office
  • Instituto Nacional da Propriedade Industrial

3. The logo file used in your VMC certificate must be an SVG file that adheres to the SVG-P/S profile. Currently, most image editing tools do not support this profile and will require using a specific conversion tool or manually editing an SVG file. Click here to get help with this.

The validation process for DigiCert’s VMCs are the same as EV SSL certificates, but with a few added steps for additional security. Once the validation process is completed, DigiCert will issue a VMC to you and you may proceed to continue implementing BIMI by adding the issued VMC to your BIMI record in the “a=” evidence attribute.

 

 
DigiCert Verified Mark Certificate (VMC) - What, Why & How? 39
 

Simplify and accelerate your VMC business with WebNIC

 

If you are looking for a trusted provider for DigiCert VMC, then WebNIC is your choice. We help you to simplify and accelerate your VMC business, by working closely with DigiCert as one of their award-winning partners. DigiCert VMC is available for purchase now to all our partners. As we have more than 7 years of experience in the SSL certificate industry, you can be assured that your VMC selling journey will be a simple and painless process. Join WebNIC as a reseller and start selling VMC today with us!

 

DigiCert Verified Mark Certificate (VMC) - What, Why & How? 40

About WebNIC

DigiCert Verified Mark Certificate (VMC) - What, Why & How? 41

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

The Dangers of Phishing Attacks and How to Prevent Them 42

The Dangers of Phishing Attacks and How to Prevent Them

Phishing attacks happen frequently and pose great dangers

Phishing attacks have increased a lot in recent years and they happen very frequently. The reason behind this is because they are very effective and efficient for cybercriminals, but most importantly very profitable for them. Many users and organisations have fallen victim to phishing attacks, whereby their personally identifiable information, credentials and sensitive data have been stolen, resulting in identity theft, loss of money, loss of reputation, loss of intellectual property, as well as disruption of daily normal operational activities. All these act together in posing great dangers to both users and organisations, which more often than not cause irreversible damage.

Understand what are phishing attacks to protect ourselves

The Dangers of Phishing Attacks and How to Prevent Them 43

A phishing attack is the act of committing fraudulent actions in an attempt to “fish” sensitive data out of victims. Cybercriminals do so by impersonating as other renowned brands or entities to trick victims into providing their sensitive data. Our article here provides more info to help you understand what are phishing attacks, in order to help you be better informed about them, as well as be more prepared when facing them.

Notable Phishing Attacks in Real Life

Phishing Attacks Work Because… Humans | Cyber Security Hub

It is important to equip ourselves with knowledge about phishing attacks, because statistics show that phishing attacks are increasing every year, showing no signs of slowing down. Over the years, many companies including high profile companies, have fallen victim to phishing attacks. Some of the most notable examples include below:

  1. Austrian aerospace parts maker, FACC was hit by a whaling attack in 2016, costing the company a whopping $56 million. The CEO at the time, Walter Stephan was impersonated by the perpetrator, in which the attacker sent an email to an employee of the finance department requesting for immediate funds transfer.
  2. American network technology company, Ubiquiti Network was hit by a spear phishing attack in 2015, costing it a loss of $46.7 million in transferred funds. The attack was done by impersonating high ranking executives with spoofed email addresses and domain look-alikes.
  3. Even US giant companies Google and Facebook are not invulnerable to phishing attacks. Between 2013 and 2015, they were reportedly scammed of $100 million in an elaborate wire fraud scheme. Over the 2 years, the attacker sent phishing emails with forged invoices to request payment to be sent to fake bank accounts.
  4. Apple, the most valuable company in the world, is also a victim of smishing. The company brand was used in a fake Apple chatbox, whereby users were informed to have a chance to join a testing program for iPhone 12. Users were requested to pay a delivery charge by being redirected to a malicious website which stole payment card details.
  5. A popular cybersecurity company, RSA was also a victim of phishing attack via email. The email was attached with a virus-infected Excel file, and was opened by an unsuspecting employee of the company. This led to a sophisticated attack on the company’s information systems.

Phishing attacks prevention

As seen above, phishing attacks can pose serious consequences and huge losses to companies, as well as users alike. It is important to know how to prevent phishing attacks. The actions below can help to increase your success in preventing them.

1. Educate your team to identify phishing scams and techniques

Benefits of Group Work - TeachHUB

The Internet is always changing, so does the phishing attack methods. However, most of them will still share some common warning signs that can be identified with proper knowledge and experience through regular security awareness training with your team. With this, it is more likely you are able to avoid a potential attack.

2. Don’t click on suspicious links

WhatsApp suspicious link detection feature is now available for all on Android beta - Technology News

Some links look suspicious and with some practice they can be easy to spot. It is generally advisable to not click any links in emails or instant messages. However, should there really be a need to do so, the general practice and bare minimum is to at least hover over a link to see if the destination is correct. The reason is because some destination URLs can look very identical to a genuine site, set up to phish sensitive data and login/credit card information from whoever that clicked the link. It is always recommended to go straight to the genuine site through search engine, rather than clicking a link.

3. Use free anti-phishing add-ons

The Dangers of Phishing Attacks and How to Prevent Them 44

Most Internet browsers now come with the option to download and install free anti-phishing add-ons. When these extremely useful add-ons are used, they provide instant quick checks on the URLs that a user is visiting, by comparing them to lists of known phishing sites. The add-ons will alert the user if he/she comes across any known malicious sites.

4. Check for the security and secure status of a website

8 Simple Ways to Improve your Website Security

Make sure to look for the “https” in a website URL, as well as a closed padlock icon near the address bar whenever visiting a website. These indicators are the signs of a secured website and you would be safer when submitting any sort of information on this website. If you come across any suspicious websites or are alerted about malicious files, then do not open them to be safe.

5. Monitor and check all your online accounts

Learn how to reset a forgotten password or change your existing passwords.

You should consistently visit your online accounts on a regular basis, as well as change the passwords regularly, too. There is a chance that your accounts might have been compromised without you knowing, and the attackers are enjoying unlimited access to your accounts. A habit of changing your passwords will be extremely effective in preventing this.

6. Never skip or delay browser updates

How to Update Your Browser - How to, Technology and PC Security Forum | SensorsTechForum.com

It can be quite a bother to check for updates of your browsers, and we tend to put them off for later. Make sure you don’t do this. Updates are there for a reason, and they are extremely important in fixing any security loopholes that cybercriminals may take advantage of. It is strongly recommended to update immediately whenever new updates are available to ward off the risks of phishing attacks.

7. Setup firewalls

The role of next-gen firewalls in an evolving security architecture | InsiderPro

Firewalls are extremely effective in preventing hackers and phishers from intruding your system. They act as a shield to prevent cybercriminals, because they need to be broken through before any cyberattacks, including phishing attacks, can be launched effectively. The best case scenario is to apply both desktop firewalls and network firewalls, which strengthen security to prevent phishers.

8. Be extra careful when it comes to pop-ups

How to remove Media Player Update pop-ups [Chrome, Firefox, IE, Edge]

Pop-up windows are commonly used by phishers attempting to launch phishing attacks. They often contain links to malware or malicious websites. You are recommended to install free ad/pop-up blockers to reduce the such risks. Occasionally, some pop-ups might slip through and it is generally advisable to close them. Some will deceive you with a cancel button for you to click, but don’t fall for it. Find and click the “x” in the corner of the pop-up instead.

9. Think twice or even thrice when submitting sensitive info

How Much Private Information Do You Give Away Every Day?

Always remember not to submit your sensitive data when using the Internet, unless you are 100% sure of the safety of the website. When in doubt, visit the main website of the company and ask for clarification. It might be a hassle, but it is worth the effort to be better safe than sorry. Never submit sensitive info on websites you are suspicious of.

10. Implement a complete and powerful web security solution

The cybersecurity industry has evolved by leaps and bounds and there are many great cybersecurity solutions out there now. These solutions provide a comprehensive cyber protection, and they can help to drastically reduce the risks of cybersecurity incidents, including phishing attacks.

The Dangers of Phishing Attacks and How to Prevent Them 45

One such solution is our Sectigo Web cybersecurity solution. This all-in-one and comprehensive web security service includes many powerful cybersecurity functions, including:

  1. Web Detect
  2. Web Patch
  3. Web Clean
  4. Web Backup & Restore
  5. Web Accelerate
  6. Web Firewall
  7. Web Comply

These functions ensure that your system is constantly protected at all times, while giving cybercriminals a hard time to launch any effective cyberattacks on you, including phishing attacks. Why so? That’s because Sectigo Web works 24/7/365 to help you monitor and check for cybersecurity invulnerabilities, giving little to no time to cybercriminals to launch attacks. Start your web security service selling journey with WebNIC now to help combat the plague of the digital landscape, phishing attacks!

About WebNIC

The Dangers of Phishing Attacks and How to Prevent Them 46

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

Types of Phishing Attacks You Need to Know 47

Types of Phishing Attacks You Need to Know

What is a phishing attack and what does it mean?

The Anatomy of a Spear Phishing Attack: How Hackers Build Targeted Attacks (and why they're so effective)Webinar.

Phishing is a form of cyberattack that is aimed to trick users into giving away their sensitive information, such as credit card details, passwords, bank accounts and any personally identifiable information. It can also be used to deceive users to click a link, which in turn will automatically download malicious files that install malware, ransomware, virus on their computer or phone.

Cybercriminals launch phishing attacks mainly through sending phishing emails, enticing users to open and click them through a false sense of urgency or alert. In fact, 96% of phishing attacks arrive by email, whereas social media, phone calls and any form of communication they can use make up the remaining 4%. Regardless of how the phishing attacks are launched, cybercriminals launch them to try to achieve these goals:

  1. Distribute malware and malicious programs to infect users’ devices.
  2. Steal private information for financial gains or identity theft.
  3. Gain control of your online accounts to further launch more cyberattacks to your connections.
  4. Persuade you to send money or valuable info to them.

Needless to say, both individuals and businesses are equally at risk from phishing attacks without discrimination, because they are highly profitable for cybercriminals. According to data published by Verizon’s 2021 Data Breach Investigations Report (DBIR), phishing is the most common form of security incidents last year, whereby 36% of them involve phishing. FBI also stated that in 2020, phishing was the top incident of the year, and its frequency doubled from 2019. These statistics show us that we will be exposed to phishing attacks eventually, and we should educate ourselves to understand the many types of phishing attacks out there, as well as ways to prevent them.

Understand the different types of phishing attacks

Before getting into the types of phishing attacks, it is important to understand that they can happen through any medium, including emails, phone calls, SMS, social media, hijacked legitimate websites, impersonating websites which look extremely identical to the original websites, or even your Internet connection.

Hence, we have many different types of phishing attacks, based on how they are delivered. Since technology is rapidly changing and improving, therefore phishing attacks are also the same, which is why this list of phishing attack types will constantly grow and change as well. We list out a number of common ones below:

Phishing email

What is a Phishing Attack And How do You Steer Clear of Them? - Business Review

As mentioned above, 96% of phishing attacks are delivered through phishing emails. Cybercriminals incite fear, greed and urgency by sending fake emails to users, which request them to click a link, reply with personal info, open an attachment or send a payment etc.

Domain spoofing

How Ads.txt Can Stop Domain Spoofing | Radware Bot Manager

This type of phishing attack works by impersonating email addresses of valid businesses or websites to send phishing emails. Cybercriminals use very similar characters to replace certain characters in the original sender’s email address, which looks very alike if not observed in detail. For example, imitating @microsoft.com with @micros0ft.com.

Voice phishing (vishing)

Tips to Avoid Phishing # 6 — Voice Phishing (Vishing) | by ReputationDefender | Medium

Vishing is a phishing attack whereby scammers call you, impersonating as a valid person or representative from a company, government agency or charitable organisation. Their aim is to trick you into giving up your personal information or steal money from you.

SMS phishing (smishing)

Received an SMS claiming to be from UOB? It could be a phishing website

Smishing is a type of phishing attack which is delivered through SMS messages. The scammer imitates a valid organisation and sends short messages to trick you into clicking a link to visit a site. The site is malicious and usually contains dangerous programs for the next stage of attack.

Social media phishing

Facebook Phishing Attacks Hidden In Video Links | The Social Media Monthly

Scammers use social media to create posts or send direct messages to persuade unsuspecting users into clicking a link. They usually use too good to be true offers/giveaways, skeptical “official” business profiles, or pretend as your friend to ask for your help, in order to attract users into doing something. Some go as far as acting as your friend and building a relationship with you before going in for the final attack, which is known as social engineering.

Spear phishing

What is spear phishing | MCG TechTalk

This type of phishing attack is also known as targeted phishing attack. It targets a specific individual or a group of individuals by researching their interests and profiling them based on their online activities. Then, scammers will use specifically structured messages or details to appeal to the victims and trick them into giving valuable information or details. For example, a mid-level executive might be targeted to trick him into giving info about higher executives because they have access to even more valuable information, in which they become the target for the next phase of attacks.

Whaling

What is Whaling Phishing &amp; How Does it Work? | Agari

Whaling is also known as business email compromise (BEC), which is a form of spear phishing that targets high-profile employees. Examples include CEO, CFO or any C-suite employees, whereby they are impersonated by scammers to pressure others into wiring transfers or sharing credentials. It can also include pretending to be a vendor with a fake invoice requesting for payment.

Clone phishing

8 types of phishing attacks and how to identify them | CSO Online

In this type of attack, scammers duplicate previously sent legitimate messages to send to users again. However, they have replaced the original links and attachments with malicious ones. The messages can be emails, fake social media accounts or any text messages to trick users.

There are also cases where legitimate websites are hijacked or imitated to deliver phishing attacks. Here are a few examples:

Watering hole phishing

Watering Hole Attacks | TheCyberPatch

This type of phishing attack is done by cybercriminals through targeting popular sites that many users use. The aim is to try to exploit the sites’ security weaknesses to launch other phishing attacks to compromise the users, such as delivering malware, malicious links redirection and other cyberattacks.

Pharming

What is Pharming? | How to Prevent Pharming Attacks

Pharming also means DNS cache poisoning, where cybercriminals install malicious programs to redirect a website’s traffic to another fake phishing website. This form of attack is done by modifying host files on a server or exploiting DNS server vulnerability.

Typosquatting

Typosquatting What is it, what is it for and how to avoid this type of computer attack? - Computing Mania

Typosquatting refers to URL hijacking, and it is done by targeting people who type incorrect URLs. Cybercriminals create a website with a URL that looks identical to a targeted safe website, but with a very small spelling variation. For example, google.com was targeted in 2006 using goggle.com to trick users into using another fake phishing website.

 

Clickjacking

Clickjacking Attacks: What They Are and How to Prevent Them | Netsparker

In clickjacking phishing attacks, cybercriminals use website vulnerabilities to insert unseen malicious links to the website’s UI elements, so that users unsuspectingly clicked the malicious links. Clickjacking can also be done by using dangerous pop-ups to entice users to click them via inducing greed, fear or urgency.

Tabnabbing

Tabnabbing Attacks and Prevention – AppSec Monkey

This type of phishing attack happens when a user has opened a lot of tabs and left them inactive, during the course of his multitasking. This provides an opportunity for cybercriminals to reload the tabs into fraudulent websites, tricking users into thinking the tabs are the same and handing over their credentials. This can be done because cybercriminals have compromised the network.

HTTPS phishing

Phishing sites trick users with padlock and HTTPS | TechRadar

In the past, malicious websites usually do not have HTTPS, and we can easily identify them. However, now any site can get this, and cybercriminals can create a HTTPS website easily, giving the illusion of a classic “safe website with a padlock next to the URL”. In reality, it is a malicious website, and any info submitted to the website will be in the hands of the cybercriminals.

Some other phishing attacks worth mentioning that we should be aware of include:

  1. Evil twin – public wifi Internet connection mimicking
  2. Search engine results phishing – fraudulent websites appearing on search results before a legitimate one
  3. Angler phishing – impersonating a company’s official customer representative to trick users to give details
  4. Cryptocurrency phishing – phishing attacks that target cryptocurrency wallets

The Internet landscape is constantly evolving, and so do the different ways of phishing attacks. This list on the types of phishing attacks is not exhaustive and it will always be changing. The ultimate objective is to trick users into clicking a link and tricking them to give up their credentials. Fortunately, due to this common nature, it is possible to correctly identify phishing scams and prevent them. Stay tuned for the next blog on how to identify, avoid and prevent them.

About WebNIC

Types of Phishing Attacks You Need to Know 48

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

Root SSL Certificate Expiry and What Happens Next for Brands 49

Root SSL Certificate Expiry and What Happens Next for Brands

A root certificate used by Let’s Encrypt has expired and caused problems for some companies and users.

Foto Artikel : Mengelola Kebocoran Emosi - Kompasiana.com

The specific root certificate mentioned here that expired on 30 September 2021 is the IdenTrust DST Root CA X3. It was created back then in the year 2000, which has a validity period from 30 September 2000 to 30 September 2021. Most people probably won’t be affected by this expiry problem, but certain groups of people or companies have definitely come across some problems caused by this expiry, particularly those that that are still using old devices, old system infrastructure or old versions of operating system.

To understand the reason why this happens, it is important to know about how Certificate Authorities (CA) work and how the SSL certificate chains work. It is important to understand the concept of chain of trust in terms of SSL certificate, which is the foundation of the entire SSL certificate industry.

To make it simple, all certificates that enable HTTPS on the Internet are issued by a CA, an organisation that is trusted and accepted by devices or operating system (OS). For example, the image below shows the list of “Trusted Root Certificate Authorities (CA)” on a Windows 10 device.

Root SSL Certificate Expiry and What Happens Next for Brands 50

The different levels in the hierarchy of SSL certificates

SSL certificate is usually categorised into 3 levels of hierarchy, the top-level root certificates, followed by the second level intermediate certificates and lastly the third level leaf certificates or end-entity certificates.

CA function as an entity to issue root certificates, which is the top-most level in the hierarchy of the certificate chain of trust. Most of the time, they are typically valid for around 20 years. These root certificates are then used to issue the second level intermediate certificates, which are typically valid for around 3 – 6 years. The intermediate certificates are then used to issue the third level leaf certificates, the ones that websites around the world get. They are typically valid for around 90 days to 1 year.

These 3 levels of SSL certificate work together to establish a chain of trust, which serves as the foundation of how the SSL certificate industry works. Leaf certificates are chained to intermediate certificates, while intermediate certificates are chained to root certificates. In the case of the expiry of Let’s Encrypt’s root certificate, IdenTrust DST Root CA X3, the image below shows its chain of trust.

ISRG Certificate Hierarchy Diagram, as of December 2020

Let’s Encrypt root certificate expiry

Using Expired Detergent - Alconox Blog: TechNotes

Now that IdenTrust DST Root CA X3 has expired, any users of SSL certificates that were chained to this root certificate will face problems when trying to access the Internet. Some services by famous brands might also face interruptions in delivering their service to end users due to this problem. As the scale of usage of Let’s Encrypt’s SSL certificate is very large, probably millions of people or companies will be affected, particularly those that use old devices, old system infrastructure or old versions of operating system as mentioned above.

Scott Helme, a security researcher, entrepreneur and international speaker who specialises in web technologies, listed in his blog the clients that will break after the IdenTrust DST Root CA X3 expires. These include versions of macOS older than 10.12.1, Windows versions older than XP Service Pack 3, iOS versions older than iOS 10, OpenSSL versions less than and including 1.0.2, and Firefox versions older than 50.

What happens when a root certificate expires?

Let’s Encrypt’s Executive Director, Josh Aas, mentioned that when leaf certificates (end-entity certificates) expire, it typically has very little impact, as it only pertains to a small number of websites and they renew automatically. However, when root certificates expire, there can be more widespread impact because the number of certificates chained to them is larger, hence client operating systems or browsers may need to be upgraded to fix problems. However, that isn’t always an option for older devices or deployments.

When root certificates expire, most clients’ devices or operating systems will automatically update the system list of “Trusted Root Certificate Authorities (CA)”, and the expired root certificate will be automatically removed through system updates. From here onwards, whenever the clients come across any SSL certificate that chains from the expired root certificate, an error occurs. An example of the error message of an expired SSL certificate is shown below.

Root SSL Certificate Expiry and What Happens Next for Brands 51

A note worth mentioning is that the browser Firefox maintains its own list of trusted root certificates, independent from a system’s built-in list. You can learn more about it here.

Conclusion

As Let’s Encrypt SSL certificate comes free, therefore the team behind it is not really required to provide users with any service commitment in situations like this. When it comes to issues like this, it is up to the user’s technical capabilities to solve them. The best there is to offer is the community forum support from the people who are passionate about it.

Besides, with the recent outages of mainstream services such as Facebook, Instagram and WhatsApp, which went down for 6 hours on October 5, 2021, it is important to advise your customers to have a backup plan for their online business, in case unfortunate events all happen at the same time and affected their business operations severely.

The Small Business Guide to Cybersecurity | SCORE

The best advice you can give to your customers is to always build their own website, instead of relying on free services, as mainstream service is not a guarantee that it will last until the end. With this in mind, WebNIC wants to help you to assist your customers in building their website and owning their domain names. You can now pay a very little amount to get a DV SSL certificate (from as low as USD4.00 only) for 1 year, with access to guaranteed support from WebNIC. Let your customers know that having a website is much safer, because if social media dies off, at least they would not disappear completely with it in the online world, because there is still a backup ready.

Register domain and buy SSL certificates for your customers with WebNIC

DigiCert Smart Seal

WebNIC is an accredited registrar of over 800 TLDs and a trusted provider of more than 50 brands of SSL certificates to suit your different needs. We have more than 20 years of experience in the domain wholesale and reseller service, as well as more than 7 years of SSL certificate experience. You can be assured that we will provide the best service experience in helping you to register domains and buying SSL certificates. Join WebNIC as a domain and SSL certificate reseller to start selling with us today!

About WebNIC

Root SSL Certificate Expiry and What Happens Next for Brands 52

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

Back To Top