Blog

Blogs

The Domain Manager plan has been upgraded to include an email service

The Domain Manager plan has been upgraded to include an email service2018 has only just begun, but we are already working hard to complete all the projects that have remained unfinished.

One of the most sought-after features last year was the integration of an email service into the Domain Manager plan.

The latter now includes the option to create and manage mailboxes and send/receive emails, just like a regular web hosting account does, thus taking the Domain Manager plan one step closer to the ‘real’ hosting service.

What is the Domain Manager upgrade about?

The Domain Manager plan is the smallest of all the packages on our platform and it targets a specific niche – namely people who do not need or are not yet ready to commit to a fully fledged hosting account.

This allows you to order sole domain name registrations/transfers and to manage all of them from one and the same place without the need to invest in a web hosting account to achieve that.

The Domain Manager plan is great for users who want to lay their hands on an attractive domain name for a given future project before anyone does.

So far, domain owners have only been able to register and transfer domain names and to edit some basic settings (Whois details, name servers, domain parking pages, etc.).

The integration of the emailing functionality takes the Domain Manager plan to a whole new usage level.

It allows domain owners to send and receive electronic messages, i.e. to make actual use of their domain names.

This way, clients can have personalized email addresses for their individual or business needs right from the start.

 

How to make use of the new email feature?

The new emailing functionality is available to all new Domain Manager plan users.

You will recognize it by the Mails icon on the domain management dashboard’s index page.

The Domain Manager plan has been upgraded to include an email service

Once you’ve clicked on it, you’ll be taken to the well-known Email Manager interface, which is accessible to all regular web hosting account owners who are using the Hepsia Control Panel.

The Domain Manager plan has been upgraded to include an email service

From there, you will be able to create mailboxes, to set up email forwarding and autoresponder messages, to create mailbox spam filters, etc., i.e. you will be able to perform all important email management operations.

The Domain Manager plan has been upgraded to include an email service

By taking into account the regular email usage on our platform, we’ve set specific quotas with respect to the maximum number of mailboxes and the total amount of email storage space.

This way, we’ll prevent the use of the emailing functionality for abusive purposes and will cater only to customers’ real email hosting needs.

You can find more details in the Account usage section of your Domain Manager account.

12 security measures to protect an unmanaged VPS

12 security measures to protect an unmanaged VPSVirtual Private Servers have long been thought of as a next-generation shared hosting solution.

They use virtualization ‘tricks’ to let you coin your own hosting environment and be a master of your server at a pretty affordable price.

If you are well-versed in server administration, then an unmanaged VPS will help you make the most of your virtual machine’s capabilities.

However, are you well-versed enough in security as well?

Here is a Linux VPS security checklist, which comes courtesy of our Admin Department.

What exactly is an unmanaged VPS?

Before we move to the security checklist, let’s find out exactly what an unmanaged VPS is and what benefits it can bring to you.

With an unmanaged VPS, pretty much everything will be your responsibility.

Once the initial setup is complete, you will have to take care of server maintenance procedures, OS updates, software installations, etc. Data backups should be within your circle of competence as well.

This means that you will need to have a thorough knowledge of the Linux OS. What’s more, you will have to handle any and all resource usage, software configuration and server performance issues.

Your host will only look into network- and hardware-related problems.

Why an unmanaged VPS?

The key advantages of unmanaged VPSs over managed VPSs are as follows:

  • you will have full administrative power and no one else will be able to access your information;
  • you will have full control over the bandwidth, storage space and memory usage;
  • you will be able to customize the server to your needs specifically;
  • you will be able to install any software you want;
  • you will save some money on server management – it really isn’t that hard to set up and secure a server if you apply yourself and updating packages is very easy;
  • you will be able to manage your server in a cost-efficient way without the need to buy the physical machine itself (you would have to if you had a dedicated server);

Unmanaged VPS – security checklist

With an unmanaged VPS, you will need to take care of your sensitive personal data.

Here is a list of the security measures that our administrators think are key to ensuring your server’s and your data’s health:

1. Use a strong password

Choosing a strong password is critical to securing your server. With a good password, you can minimize your exposure to brute-force attacks. Security specialists recommend that your password be at least 10 characters long.

Plus, it should contain a mix of lower and uppercase letters, numbers and special characters and should not include common words or personally identifiable information. You are strongly advised to use a unique password so as to avoid a compromised service-connected breakthrough.

A strong password may consist of phrases, acronyms, nicknames, shortcuts and even emoticons. Examples include:

[pastacode lang=”php” manual=”1tsrAIn1NGcts%26DGS!%3A-)%20(It%E2%80%99s%20raining%20cats%20and%20dogs!)%0AhumTdumt%24%40t0nAwa11%3A-0%20(Humpty%20Dumpty%20sat%20on%20a%20wall)%0Ap%40%24%24GOandCLCt%24500%20%3A-%3E%20(Pass%20Go%20and%20collect%20%24500)” message=”” highlight=”” provider=”manual”/]

2. Change the default SSH port

Modifying the default SSH port is a must-do security measure.

You can do that in a few quick steps:

  1. Connect to your server using SSH
  2. Switch to the root user
  3. Run the following command: vi /etc/ssh/sshd_config
  4. Locate the following line: # Port 22
  5. Remove # and replace 22 with another port number
  6. Restart the sshd service by running the following command: service sshd restart

3. Disable the root user login

The root user has unlimited privileges and can execute any command – even one that could accidentally open a backdoor that allows for unsolicited activities.

To prevent unauthorized root-level access to your server, you should disable the root user login and use a limited admin account instead.

Here is how you can add a new admin user that can log into the server as root via SSH:

  1. Create the user by replacing example_user with your desired username (in our case – ‘admin’):
    [pastacode lang=”php” manual=”adduser%20admin” message=”” highlight=”” provider=”manual”/]
  2. Set the password for the admin user account:
    [pastacode lang=”php” manual=”passwd%20admin” message=”” highlight=”” provider=”manual”/]
  3. To get admin privileges, use the following command:
    [pastacode lang=”php” manual=”echo%20’admin%20ALL%3D(ALL)%20ALL’%20%3E%3E%20%2Fetc%2Fsudoers” message=”” highlight=”” provider=”manual”/]
  4. Disconnect and log back in as the new user:
    [pastacode lang=”php” manual=”ssh%20admin%40my.ip.or.hostname” message=”” highlight=”” provider=”manual”/]
  5. Once you are logged in, switch to the root user using the ‘su’ command:
    [pastacode lang=”php” manual=”su%0Apassword%3A%0Awhoami%0Aroot” message=”” highlight=”” provider=”manual”/]
  6. To disable the root user login, edit the /etc/ssh/sshd_config file. You will only need to change this line:
    [pastacode lang=”php” manual=”%C2%A0%23PermitRootLogin%20yes%C2%A0″ message=”” highlight=”” provider=”manual”/]

    to:
    [pastacode lang=”php” manual=”PermitRootLogin%20no” message=”” highlight=”” provider=”manual”/]

You will now be able to connect to your server via SSH using your new admin user account.

4. Use a rootkit scanner

Use a tool like rkhunter (Rootkit Hunter) to scan the entire server for rootkits, backdoors and eventual local exploits on a daily basis; you’ll get reports via email;

12 security measures to protect an unmanaged VPS

5. Disable compilers for non-root users (for cPanel users)

Disabling compilers will help protect against many exploits and will add an extra layer of security.

From the WebHost Manager, you can deny compiler access to unprivileged (non-root) users with a click.

Just go to Security Center ->Compiler Access and then click on the Disable Compilers link:

12 security measures to protect an unmanaged VPS

Alternatively, you can keep compilers for selected users only.

6. Set up a server firewall

An IPTABLES-based server firewall like CSF (ConfigServer Firewall) allows you to block public access to a given service.

You can permit connections only to the ports that will be used by the FTP, IMAP, POP3 and SMTP protocols, for example.

CSF offers an advanced, yet easy-to-use interface for managing your firewall settings.

12 security measures to protect an unmanaged VPS

Here is a good tutorial on how you can install and set up CSF.

Once you’ve got CSF up and running, make sure you consult the community forums for advice on which rules or ready-made firewall configurations you should implement.

Keep in mind that most OSs come with a default firewall solution. You will need to disable it if you wish to take advantage of CSF.

7. Set up intrusion prevention

An intrusion prevention software framework like Fail2Ban will protect your server from brute-force attacks. It scans logfiles and bans IPs that have unsuccessfully tried to log in too many times.

12 security measures to protect an unmanaged VPS

Here’s a good article on how to install and set up Fail2Ban on different Linux distributions.

You can also keep an eye on the Google+ Fail2Ban Users Community.

8. Enable real-time application security monitoring

Тhe best real-time web application monitoring and access control solution on the market – ModSecurity, allows you to gain HTTP(S) traffic visibility and to implement advanced protections.

ModSecurity is available in your Linux distribution’s repository, so installing it is very easy:

[pastacode lang=”php” manual=”apt-get%20install%20libapache2-modsecurity” message=”” highlight=”” provider=”manual”/]

Here’s a quick guide on how to install and configure ModSecurity.

Once you’ve got ModSecurity up and running, you can download a rule set like CRS (OWASP ModSecurity Core Rule Set). This way you won’t have to enter the rules by yourself.

9. Set up anti-virus protection

One of the most reliable anti-virus engines is ClamAV – an open-source solution for detecting Trojans, viruses, malware & other malicious threats. The scanning reports will be sent to your email address.

ClamAV is available as a free cPanel plugin.

You can enable it from the Manage Plugins section of your WHM:

12 security measures to protect an unmanaged VPS

Just tick the ‘Install ClamAV and keep updated’ checkbox and press the ‘Save’ button.

10. Enable server monitoring

For effective protection against DDoS attacks, make sure you install a logfile scanner such as logcheck or logwatch. It will parse through your system logs and identify any unauthorized access to your server.

Use software like Nagios or Monitis to run automatic service checks to make sure that you do not run out of disk space or bandwidth or that your certificates do not expire.

12 security measures to protect an unmanaged VPS

With a service like Uptime Doctor or Pingdom, you can get real-time notifications when your sites go down and thus minimize accidental downtime.

11. Run data backups

Make regular off-site backups to avoid the risk of losing data through accidental deletion.

You can place your trust in a third-party service like R1Soft or Acronis, or you can build your own simple backup solution using Google Cloud Storage and the gsutil tool.

12 security measures to protect an unmanaged VPS

If you are on a tight budget, you can keep your backups on your local computer.

12. Keep your software up to date

Keeping your software up to date is the single biggest security precaution you can take.

Software updates range from regular minor bug fixes to critical vulnerability patches. You can set automatic updates to save time.

However, keep in mind that automatic updates do not apply to self-compiled applications. It’s advisable to first install an update in a test environment so as to see its effect before deploying it to your live production environment.

Depending on your particular OS, you can use:

  • yum-cron (for CentOS)
  • unattended upgrades (for Debian and Ubuntu)
  • dnf-automatic (Fedora)

***

If you have not obtained an unmanaged VPS yet, you could consider our solutions:

  • OpenVZ VPS packages – all setups from 4 to 10 are unmanaged and come with SSH/full root access (for cPanel setups only) and with a CentOS/Debian/Ubuntu OS installation;
  • KVM VPS setups – all four setups are unmanaged and offer SSH/full root access; OS options include CentOS/Debian/Ubuntu as well as a few OS ISO alternatives like Fedora and FreeBSD;

The Suhosin security extension now supported on our platform

The Suhosin security extension now supported on our platformPHP is a mainstream programming language that underlies millions of projects on the web.

It offers great coding flexibility and is compatible with various modules that can extend its capabilities significantly.

However, as mighty as PHP might be, poor coding can make your server vulnerable to security threats. To address this negative scenario, PHP extensions like Suhosin have stepped in.

PHP security threats

Over the years, PHP has grown to be the most preferred web programming language thanks to its short learning curve and the great deal of options for building dynamic web projects.

According to a recent W3Techs survey, PHP is used by 83.1% of all server-side programming language-based websites.

The Suhosin security extension now supported on our platform

Just like other programming languages, however, PHP is not immune to poor coding practices and web servers can easily become vulnerable to attackers.

You may have crafted the most perfect piece of code, but if you allow non-verified code from other developers to run on your server, you will open the door to vulnerabilities.

If you are hosting third-party PHP applications, for example, you cannot trust the quality of that code either.

This is where the Suhosin solution kicks in.

What is Suhosin about?

Suhosin (pronounced ‘su-ho-shin’, which means ‘guardian angel’ in Korean) is an advanced protection system for PHP installations developed by the German company Sektion Eins.

It was designed to protect servers and users from all manner of flaws in PHP applications and in the PHP core itself.

Suhosin works on two levels. First, it protects the PHP core against buffer overflows and format string vulnerabilities. And second, it acts as a powerful PHP extension that tackles operability issues.

The two functions can be used separately or in combination.

Why use Suhosin?

If you are using PHP on your personal server where you run your own vulnerability-free scripts and applications, then you most probably don’t need the Suhosin extension.

However, one should keep in mind that PHP is a very complex language with lots of easy-to-overlook pitfalls.

Therefore, it is always a good idea to have Suhosin running in the background as an additional safety measure.

According to its developers, the Suhosin extension will effectively protect your server against malicious attacks resulting from backdoors left in your code.

Suhosin will also ensure that no one else on the web will be affected if your server falls prey to spam or DDoS attacks, for instance.

How to make use of Suhosin on our platform?

To help you maintain a secure environment for your PHP-based projects, we’ve installed the Suhosin extension on our servers.

You can enable the extension with a click from the PHP Settings (Advanced>PHP Settings) section of your Control Panel:

The Suhosin security extension now supported on our platform

Please keep in mind that Suhosin supports all PHP versions from 5.4 onwards:

The Suhosin security extension now supported on our platform

Phalcon has debuted on our hosting platform

Phalcon has debuted on our hosting platformSpeed has a crucial importance in terms of getting higher search engine rankings, whereas performance optimization has become a top priority for the IT industry.

The global march toward faster load times has fuelled the birth of Phalcon – a solution, which offers a brand new approach to improving website performance.

Learn more about the Phalcon framework, the advantages it can bring to your online projects and how you can make use of it on our web hosting platform.

Some ‘Phalconistory’

Originally released in 2012, Phalcon is an open-source PHP web application framework licensed under the terms of the BSD License.

It was created by Andrés Gutiérrez who came up with a new speed-focused PHP web app framework development approach.

The name of the framework itself came as no surprise, since falcons are among the fastest animals on Earth.

Unlike most PHP frameworks, Phalcon was conceived as a web server extension.

Written in Zephir and C, it’s based on the model–view–controller (MVC) pattern.

Phalcon has debuted on our hosting platform

Since Phalcon’s first release, its developers have kept improving the framework by adding new performance-boosting features. One such example is the Volt template engine.

Phalcon’s first PHP 7 support-inclusive LTS release was introduced on 29 July 2016. It’s also the framework’s latest stable version thus far.

SemVer will be relied upon in the future as well.

Phalcon’s key advantages over common PHP frameworks

Phalcon has quickly gained popularity for being the fastest PHP framework on the web.

And rightfully so, considering its flying start and the number of improvements to its architecture in so short a period of time.

Built as a web server extension rather than as a stand-alone PHP framework, Phalcon allows for a revolutionary performance optimization.

Here are the key reasons why Phalcon has become the go-to solution for speed-focused web projects:

  • Boosted execution speeds

Thanks to its innovative coding concept, Phalcon allows for more HTTP requests to be processed per second (compared to similar frameworks written primarily in PHP), which lowers execution times drastically.

  • Reduced resource usage

Phalcon allows you to keep CPU and memory consumption at a minimum.

  • Accelerated website performance

The lowered execution and load times will accelerate your site’s overall performance, which will, in turn, lead to better search engine rankings and increased click-through rates.

How to enable Phalcon for your projects

Unlike the regular PHP frameworks, Phalcon cannot be readily installed.

You will need root access to the server to make use of it.

We’ve implemented a Phalcon-friendly environment on our platform in order for you to get the best performance out of your Phalcon-sped website.

You can enable Phalcon for your speed-sensitive projects from the PHP Settings section of your Control Panel:

Phalcon has debuted on our hosting platform

Please keep in mind that Phalcon supports all PHP versions from 5.5 onwards:

Phalcon has debuted on our hosting platform

Let’s Encrypt validation exploit detected, no hosted domains affected on our platform

Let’s Encrypt validation exploit detected, no hosted domains affected on our platformA problem with the Let’s Encrypt Certificate Authority’s ACME protocol was detected on January 9, 2018.

It turned out that by exploiting a vulnerability in the ACME TLS-SNI-01 challenge type, malicious users could obtain SSL certificates for domains they did not control.

Let’s Encrypt acted immediately and disabled TLS-SNI-01 support.

What is the TLS-SNI-01 vulnerability about?

The vulnerability was reported by a Detectify security professional who had discovered that the ACME protocol’s TLS-SNI-01 verification challenge procedure could be exploited.

He alerted the Let’s Encrypt CA about a method of exploiting certain shared hosting infrastructures to obtain certificates for domains he did not own.

The attack method was quickly confirmed by Let’s Encrypt and a flaw in the abovementioned TLS-SNI-01 challenge procedure was cited as the cause of the issue.

In order for a Let’s Encrypt SSL to be issued, the TLS-SNI-01 challenge in question must be satisfied.

To understand the mechanism of the domain validation procedure itself, one needs to know how it works in the backend:

First, the Certificate Authority (CA) generates a random token and communicates it to the hosting server-installed ACME client.

The latter uses the token to create a self-signed certificate with a given invalid hostname.

The Certificate Authority then looks up the domain name’s IP, initializes a TLS connection and sends the invalid hostname to the SNI extension.

If the response is a self-signed certificate, which contains the hostname, the domain name is considered validated and the ACME client is permitted to issue certificates for it.

As it has turned out, a couple of large hosting providers combine two conditions that together open the door to TLS-SNI-01 procedure violations:

  • Many users are hosted on the same IP address;
  • Users are able to upload certificates for arbitrary names without proving domain ownership;

If both conditions are present, the TLS-SNI-01 procedure can potentially be exploited.

When the issue was reported, Let’s Encrypt rapidly disabled TLS-SNI-01 validation.

However, this is just a temporary solution. As it is, a permanent one has to be found.

In the meantime, Let’s Encrypt recommended that hosting providers implement the alternative HTTP-01 or DNS-01 challenges as a long-term solution instead, if they haven’t already done so.

Are my domains affected by the TLS-SNI-01 vulnerability?

Luckily, we use namely the recommended HTTP-01 and DNS-01 challenges for domain validation and certificate issuance purposes.

This is why, the domain names that are hosted on our platform are not prone to TLS-SNI-01 challenge procedure violations.

NOTE: However, if you manage domains that are registered through us, but are not hosted on our platform, we’d recommend you to get in touch with the hosting provider whose services you are using and make sure that they’ve taken measures to secure their Let’s Encrypt certificates.

.GR domains now open for registration on our hosting platform

.GR domains now open for registration on our hosting platformWe’ve just added the country-code Top-Level Domain for Greece to the list of registrable extensions.

The .GR ccTLD is open for registration to Greek and foreign entities.

.GR – some history

The .GR domain extension was launched back in 1989. It is administered by GR-Hostmaster – a department of the Institute of Computer Science of the Foundation for Research and Technology.

The .GR domain registration process is supervised by the Hellenic Telecommunications and Post Commission (EETT).

For registrars’ sake, the GR-Hostmaster registry employed the EPP protocol, which is approved by the Internet Engineering Task Force (IETF).

GR-Hostmaster paid special attention to the ability to register domain names containing Greek letters such as όνομα.gr. And indeed, such an option has been supported since July 4, 2005.

Greece even applied for the internationalized version of .GR – .ελ, but it was not until 2014 that it was approved of by ICANN. The latter had concerns that the visual similarity with .EA might confuse users.

The extension, however, is not open to the public as yet.

Why register .GR domains?

Since ancient times, Greece has been a nation of great minds and independent thinkers.

Those vibes, along with the Greeks’ strong sense of identity and self respect, have been safely preserved throughout the centuries down to our own day.

The collective spirit of Greece and the Greeks’ respect for history and culture have cultivated a conservative society where ‘everything Greek’ matters most.

That could explain why Greek individuals prefer visiting websites ending in .GR instead of .COM and reading web content written in Greek rather than in English, for example.

.GR – registration requirements

.GR domains are wide open for registration for individuals and organizations from around the world.

The minimum registration period is 2 years.

Here is a list of the .GR domain requirements to take into account when registering a .GR domain:

  • should contain from 3 to 60 characters;
  • should begin and end with a letter/number;
  • should use the English character set and may contain letters (i.e., a-z, A-Z), numbers (i.e. 0-9) and dashes (-) or a combination of these;
  • should not contain a dash in the third and fourth positions (e.g. www.ab- -cd.gr);
  • should not include a space (e.g. www.ab cd.gr).

Currently, the .GR domain zone does not allow for the information of the domain owner to be hidden from the public eye. All information (name, address, email, etc.) will be displayed in the public WHOIS database.

 

Let’s Encrypt SSLs enabled on our reseller hosting platform

SSL certificates have become a must-have attribute for websites since Google declared secure HTTPS connections a ranking factor and especially since the search engine giant voiced its intention to start flagging all non-HTTPS pages as insecure later in 2017 in a visible-to-the-Chrome-user manner.

The hype around SSLs has made SSL providers reconsider the pricing of certificates so as to make them more affordable to the wide public.

Meanwhile, a public-benefit authority aimed at providing an all-free HTTPS encryption solution to users was born. We’ve now adopted their approach on our platform as well.

Learn more about the Let’s Encrypt initiative and how Let’s Encrypt SSLs fare against regular SSLs from our new post.

What is Let’s Encrypt all about?

Introduced in 2016, Let’s Encrypt represents a free open certificate authority (CA), which provides website owners with digital certificates for enabling HTTPS (SSL/TLS).

It was launched by the Internet Security Research Group (ISRG), a public-benefit organization sponsored by the Mozilla Foundation, the Electronic Frontier Foundation (EFF) and Cisco Systems, with the aim of making HTTPS encryption both affordable and user-friendly.

Their main goal is to create a more secure, privacy-driven web.

Let’s Encrypt certificates are:

  • free to use: each domain name owner can obtain a trusted certificate at absolutely no cost;
  • automatic: the certificate setup and renewal procedures are fully automated; no human intervention is needed;
  • simple to use: there are neither payments to make, nor validation emails to respond to;
  • secure: Let’s Encrypt serves as a platform for implementing the latest security practices;
  • fully transparent: all issued certificates are publicly available for anyone to view;
  • open: the issuance and renewal protocol is published as an open standard that can be adopted;
  • ‘self-regulated’: Let’s Encrypt is a joint community effort, beyond the control of any organization;

The idea and history behind the Let’s Encrypt project

The Let’s Encrypt project was launched in 2016. During the first month alone, more than 200,000 certificates were issued and this number increased a hundredfold in just 1 year.

More than 20,000,000 active certificates are currently supported by Let’s Encrypt.

Let’s Encrypt SSLs enabled on our reseller hosting platform

This explosive growth has been fuelled by the efforts of the Internet Security Research Group (the organization behind Let’s Encrypt) to help create a fully encrypted web.

Supported by a large community, this small group with only 9 full-time employees has managed to raise awareness among site owners about the need for investing in a more secure web.

The results speak for themselves – according to statistics provided by Mozilla’s Firefox Telemetry, the past year has seen a 10-percent increase in HTTPS page loads – from 39% in 2016 to 49% in 2017. This means that half the web is now encrypted, which makes everyone safer.

Today, Let’s Encrypt is trusted by the likes of Google, Apple and Mozilla.

How does the validation process work?

Generally, in order for an SSL certificate to be issued, a request must be sent to a trusted certificate signing authority.

That incurs some paperwork, which justifies the fees required for regular SSL certificates.

To bypass the certification fees, the founders of Let’s Encrypt had to remove the ‘human factor’. And so they did.

They came up with a solution – a certificate management agent, which runs on an HTTPS server and automatically obtains browser-trusted certificates from the Let’s Encrypt authority.

Let’s Encrypt uses the ACME (Automatic Certificate Management Environment) protocol to verify that one controls a given domain name and to issue them a certificate.

Prior to the domain authorization process itself, the agent generates a new public/private key pair, which will be used when interacting with Let’s Encrypt.

Let’s Encrypt SSLs enabled on our reseller hosting platform

The agent needs to prove that the server on whose behalf it communicates actually controls the domain.

Proving control of a given domain can be accomplished in two ways.

For instance, the CA might demand that the agent:

  • provision a DNS record (we use this validation method on our platform);
  • provision an HTTP resource;

Then, the agent needs to prove that it controls the key pair by signing a nonce provided by the CA.

When ready, the agent informs the CA and the latter has to check whether all requirements have been met.

If everything has gone right, the agent will get authorization to provide certificate management for the given domain.

How are Let’s Encrypt certificates issued?

Once authorized, the agent can easily request, renew and revoke certificates.

All it needs to do is send certificate management messages and sign them with the authorized key pair.

To obtain a certificate, the agent creates a CSR (Certificate Signing Request), which asks the Let’s Encrypt CA to issue a certificate for the given domain with a specified public key.

The agent then signs the CSR with the authorized key and sends it to the Let’s Encrypt CA.

If everything is fine, the latter will issue a certificate with the CSR-included public key and return it to the agent.

What are the differences between regular and Let’s Encrypt SSLs?

Let’s Encrypt offers you a free and automated way of obtaining SSL certificates for your sites, so you may ask yourself: “Why would I ever go with a regular SSL certificate?”.

Just like regular SSL certificates, Let’s Encrypt certificates offer basic SSL encryption, i.e. they give site visitors assurance that they are exchanging information with the domain that is visible in the address bar and that their personal data (login details, credit card information, etc.) cannot be eavesdropped.

Also, Let’s Encrypt certificates are trusted by all major browsers.

If a site is using a Let’s Encrypt SSL, you will see “https://” at the beginning of the URL in your browser’s address bar, along with a green padlock.

So, what Let’s Encrypt certificates offer is secure communication most site visitors will feel comfortable with.

However, as a business entity you may also need a certain security guarantee against online abuses and this is where commercial SSLs kick in.

Read further below to learn more about the differences between a Let’s Encrypt certificate and a regular SSL:

  • Warranty: Let’s Encrypt certificates do not include a warranty against misuse or mis-issuance, whereas regular SSLs do. While this may not be a problem for smaller websites, for larger organizations most probably will.
  • Wildcard Certificates: Let’s Encrypt does not offer wildcard or multi-domain certificates, whereas traditional CAs usually do.
  • Validity Period: Let’s Encrypt certificates are only valid for 90 days and must be renewed before they expire. Most regular SSL certificates are valid for at least one year. HTTPS site owners can also choose a longer validity period (3, 5, etc. years). On our platform, Let’s Encrypt certificates are renewed automatically, so you won’t have to worry about that.
  • Support: Let’s Encrypt does not offer assistance with creating or installing SSL certificates. Only community help is available.This can be an issue for organizations that need to quickly equip their business sites with an SSL. However, this could be easily curbed with a quick re-generation and re-installation of the problematic Let’s Encrypt SSL.

A Let’s Encrypt certificate or a commercial SSL – the final verdict

Both Let’s Encrypt and commercial SSLs will do the encryption job that is expected of them in order to protect your sites against interception and eavesdropping.

So, your choice will solely be determined by the type of site you manage, which in fact defines your security requirements.

If you own a non-commercial site, a blog or a photo gallery, or just need a quickly configurable, simple and free SSL certificate that you can obtain with minimum effort, then Let’s Encrypt is the way to go.

If you run an e-store or an enterprise site, then you will need to invest in a paid, warranty-equipped SSL certificate issued by an established CA.

Due to Google’s recently voiced intent to give HTTPS sites higher search rankings and the subsequent rise of authorized SSL resellers, the prices for commercial SSLs have been going down steadily.

Today, every e-commerce website owner can obtain an affordable commercial SSL certificate from a reputable authority.

We’ve already lowered the prices for both regular and wildcard certificates and are doing our best to make sure our customers get the best security insurance on the web.

How do I enable a Let’s Encrypt SSL certificate for my site?

You can request a Let’s Encrypt certificate for your sites with a click from the Hosted Domains section of the Web Hosting Control Panel.

In there, click on the Edit Host icon in the Actions column:

Let’s Encrypt SSLs enabled on our reseller hosting platform

Then click on the SSL Certificates drop-down menu:

Let’s Encrypt SSLs enabled on our reseller hosting platform

The ‘Request Let`s Encrypt SSL’ option is located at the bottom of the list of SSL options:

Once you’ve selected the Let’s Encrypt option, just click on the Edit Host button and allow a few seconds for the certificate to be generated.

NOTE: Make sure you’ve selected a shared SSL IP address (or a dedicated IP, if available) from the IP Address drop-down menu.

That’s it! The Let’s Encrypt certificate has been installed on the selected domain name.

Now your domain will feature a Let’s Encrypt icon in the SSL table:

Let’s Encrypt SSLs enabled on our reseller hosting platform

That’s it! You will now see a green padlock in front of your domain in your browser’s address bar:

Let’s Encrypt SSLs enabled on our reseller hosting platform

All browsers will now recognize your site as being secure.

NOTE: Since the Let’s Encrypt certificate generation process involves domain/DNS validation, a domain needs to have valid NS records in order for the validation to go through.

For this reason, if the ‘Do Not Manage DNS’ option is enabled for a given domain, the Let’s Encrypt feature will not be visible.

How to ensure proper Let’s Encrypt certificate installation

Now that your site loads over HTTPS, you need to make sure that it is working properly and that http://www.my-site-name.net is pointing to https://www.my-site-name.net.

Here is how to check whether HTTPS has been properly set up on your site: use an online service like SSL Labs, which can thoroughly examine the configuration of any SSL web server on the web; visit some of your site’s pages and see if they all display a green padlock to the left of the URL;

Now that your site loads over HTTPS, you need to redirect all HTTP URLs to their HTTPS counterparts. You can do that by adding a few lines of code in your .htaccess file.

This way, you will inform the search engines to now consider only the HTTPS URLs.

To test whether or not the HTTP->HTTPS redirection has successfully gone through, you can do the following: enter your-domain.com in the Google search bar;

Check if all of the indexed links have been properly redirected and are now using the HTTPS protocol;

Keep in mind that it will take some time until the Googlebot picks up the redirection.

Plus, you will need to submit an updated sitemap for your site.

Since the Search Console treats the HTTP and HTTPS versions as completely separate sites, you will need to add a new HTTPS property first and then re-submit your sitemap.

If you get mixed HTTP/HTTPS content warnings, you can fix them using tools like the SSL Insecure Content Fixer.

A revolutionary initiative, Let’s Encrypt is the fruit of a great community effort. It still has a long way to go as far as global SSL usage is concerned, but it already plays an important role in making the digital world we live in a better place.

We’ll soon give you more information about the newly enabled Let’s Encrypt certificates, so stay tuned!

The Stack Clash vulnerability threatens the Linux world. System patches on the way.

After a short intermission, the digital world is once again facing a major security threat. The so-called Stack Clash vulnerability is threatening major Unix-based OS’s like Linux, FreeBSD and OpenBSD.

We have applied to our web hosting platformall the patches that have been released by the affected OS vendors thus far.

Learn more about the origins of the Stack Clash vulnerability and the attack patterns it uses to endanger systems.

What is the Stack Clash vulnerability all about?

Stack Clash follows the well-known privilege escalation scenario.

At its heart is a longstanding OS flaw that lets attackers elevate their privileges and get root access.

This way, a user could gain control over the processes another user is running on the same server, which is a great concern for web hosting providers.

The vulnerability derives its name from a RAM memory region called the stack. Each program on your PC uses one.

This memory region can increase automatically on demand. However, if it grows too much and gets too close to another memory region, the respective program may confuse the two.

Namely that moment of confusion could be used by an attacker to exploit the given system and overwrite the stack with the other memory region (or vice versa).

The security specialists at Qualys have figured out how such an attack in fact works by locating a series of vulnerabilities.

First, the CVE-2017-1000364 vulnerability can be used to force a given stack to interfere with another one and stir a confusion like the one mentioned above.

Then another security flaw – CVE-2017-1000367, can be combined with the primary Stack Clash vulnerability so as to obtain full root privileges.

The researchers at Qualys have also expressed their concerns about the possibility of a remote vulnerability exploitation, which makes Stack Clash an even more serious issue.

In fact, the history of slack clashes can be traced back to 2005 when they were first discovered by the security researcher Gaël Delalleau.

They were re-discovered 5 years later, which made Linux developers start thinking of a reliable long-term patch for the Slack Clash flaw.

The so-called stack guard-page they introduced was meant to stop a given stack memory region from interfering with other memory processes.

However, attackers seem to have managed to outsmart the guard-page protection measure and break into computer systems during moments of confusion such as the above-described one.

System patches for the Stack Clash vulnerability on the way

The rediscovery of the Stack Clash flaw spread like wildfire across the Internet on Monday, urging the affected distributors and system administrators to take immediate measures to patch things up.

The affected OS vendors started working on bug fixes. Red Hat, for instance, came up with an immediate kernel patch, which may cause performance issues but without a noticeable effect on the normal operations.

Others like the Linux kernel are yet to release patches any moment now.

We’ll be keeping a watch out for any new patches and will keep you posted on all upcoming updates, so stay tuned.

The .FI domain extension is now live on our platform

The country-code Top-Level Domain for Finland – .FI, has finally arrived on our platform!

Now Finnish customers and individuals, as well as any business entity from around the world that is somehow connected to Finland, can register their own .FI domain name with us.

The history behind the .FI ccTLD

.FI was born back in 1986. The administration of the TLD itself was first granted to the University of Technology in Tampere and later transferred to FICORA (Finnish Communications Regulatory Authority).

In the beginning, only trademark-owning companies could register .FI domains, which forced many Finnish residents to choose different TLD extensions for their websites instead.

Luckily, the policy was liberalized in 2003, allowing any Finnish company to apply for an .FI-adorned domain.

A few years later, in 2006, individuals were also permitted to register .FI domain names.

It was not until September 2016, however, that the .FI ccTLD finally ‘crossed’ the national border and became open for registration to any entity in the world wishing to secure an .FI-driven web presence.

.FI domain registration details

The registration restrictions were loosened at the end of 2016 and now any entity that is doing business in Finland or that is somehow related to the country can register a domain name under .FI.

Depending on whether the .FI domain registrant is an individual or a company/organization, there are different requirements to take into account.

Individuals will need to supply the following details when registering an .FI domain:

  • HETU number (if Finnish) or Date of birth (if not Finnish) for the Registrant Contact

Companies and organizations in turn will be asked to submit the following information when registering an .FI domain:

  • Y-tunnus number (if Finnish) or Company Registration Number (if not Finnish) for the Registrant Contact;

NOTE: .FI domains featuring company names or trademarks can only be registered by their respective owners.

Although .FI domains may contain Scandinavian letters (ä, å, ö), most applicants prefer to use ‘a’ and/or ‘o’ instead.

The registration period for .FI domains is 1-5 years.

.NO – the official ccTLD for Norway, is now up for registration on our platform

The country-code Top-Level Domain for Norway rounds up the list of Scandinavian domain names on our platform.

It follows the recent launch of .FI, which was preceded by the introduction of .DK and the .SE price update.

Now you have the entire arsenal of Scandinavia-related ccTLDs to target the lucrative North European market.

Learn more about the importance of the .NO extension to the local and regional markets and the respective .NO domain registration specifics from our post.

The history behind the .NO ccTLD

The .NO country-code TLD is presently managed by Norid, which is a subsidiary of the state-owned Uninett and operates under the supervision of the Norwegian Post and Telecommunications Authority.

In 1983, the administration of the .NO ccTLD was granted to a local Internet specialist working for the Norwegian Telecommunications Administration’s Research Institute.

However, the workload became too high and the need for a non-commercial organization to step in arose. This is how the responsibility was transferred to Uninett in 1987.

The state-wide penetration of the Internet caused a boom of registrations and 1995 saw the 1000th .NO domain registrant.

In 1996, Norid was established as a division within Uninett. In 2003, Uninett Norid was registered as a separate limited company to secure the management of the extension within an independent organization.

Until 2001, there were tight .NO domain registration restrictions – a given organization could register only one single domain name, which was manually verified by Norid, since trademark ownership had to be proven.

The registration rules were liberalized in 2001 when the process became automated and a dispute resolution policy was introduced.

This led to a boom of registrations and the number of .NO domain-fitted websites exceeded 100,000 in less than a year.

At first, a .NO domain could contain only the basic Latin letters, but in 2004 twenty-three characters from the Norwegian and Sami languages were ‘whitelisted’.

.NO – the official ccTLD for Norway, is now up for registration on our platform

Since 2007, registrants have been able to get an all-numerical .NO domain name as well.

All that resulted in a further increase in the number of registered .NO domains, which reached 500,000 in 2011.

Since November 2011, organizations have been permitted to register 100 domains. Three years later, individuals became officially eligible to register a .NO domain.

.NO domain registration requirements

As of now, .NO domains are only open to organizations/companies and individuals with a local presence in Norway.

Here are the requirements an organization/individual must comply with in order to obtain a .NO domain name:

Organizations/Companies:

  • must be registered with the Central Coordinating Register for Legal Entities;
  • must have an organization number;
  • must have a postal address in Norway;
  • must be able to document activity in Norway upon request from the Norid registry;

There is a limit on the number of .NO domains a single entity is allowed to register.

Individuals:

  • must be at least 18 years old;
  • must be registered in the National Registry;
  • must have been issued a national identity number;
  • must be residents of Norway;

A single person can register up to 5 .NO domains.

NOTE: If a person moves to another country, they will retain ownership of their existing .NO domain(s), but will not be able to register another .NO domain while living abroad.

Syntax requirements:

  • .NO domain names must consist of 2 to 63 characters and must start and end in a digit or a letter.
  • ISO basic Latin alphabet (A-Z);
  • digits (0-9);
  • hyphen (-);
  • Norwegian language letters (æ, ø and å);
  • 20 special Sami language letters (á·à·ä·č·ç·đ·é·è·ê·ŋ·ń·ñ·ó·ò·ô·ö·š·ŧ·ü·ž).

A large number of domains are unavailable for registration, including names of geographical settlements and islands, which may become second-level domains in the future.

Upon registering a .NO domain, the registrant signs a declaration that they are not infringing on the rights of other parties and that they will assume full responsibility for any consequences resulting from their use of the given domain.

The strict regulations have helped Norid keep cybersquatting and warehousing to a minimum.

How to register a .NO domain name

The extra local presence requirement renders registering a .NO domain more time-consuming than registering a .COM domain, for example.

Apart from the regular registration procedure on our site, the registrant will also need to go through a few extra validation steps.

Here is an overview of the typical .NO domain registration procedure:

  1. The registrant selects the desired domain and fills out the domain registration form.
  2. The registrant will receive an email from us, which will contain a link to a ticket in our Control Panel created by a support representative of ours for the particular .NO domain registration procedure exclusively; the email will contain a link to an online declaration form on Norid’s site. The registrant must fill it out in order to proceed with the registration.
  3. Once the online form has been filled out, the registrant will receive a .ZIP file via email, which must be then sent to us via the same ticket along with the following documents:
  • a copy of their ID card/driver’s license/passport (for individuals);
  • a copy of a certificate of incorporation (stamped) (for organizations/companies);

For individuals: along with the ZIP file, the registrant will also need to send us their PID number, which we’ll need to apply on our end as well;

Once we’ve got all the required information (the .ZIP file with the respective ID/certificate copies, and the PID number if the registrant is an individual), we’ll submit your registration request to the registry and will do our best to complete the registration process as soon as possible.