Most Registrars Are Clueless about SSL
Have you encrypted your website yet? Reputable organizations around the globe are planning to implement HTTPS as described in Show Customers You Are Serious About Security. No one can intercept customer browsing sessions or reverse engineer the keywords used to access your site. Further, Google and Bing are giving higher search rankings to HTTPS sites.
The problem is that most registrars appear to be clueless about SSL.
It’s bad enough that there are low assurance encryption certificates to dupe unsuspecting buyers into purchasing near worthless protection. Now the Open Source community is being exposed by wave after wave of vulnerabilities, including SSL specific exploits like Freak and Poodle.
If you have implemented SSL, you should test your security with some of the online tools listed below:
As part of various search and security exams, we’ve found nearly 75% of customers that have implemented SSL have weak or vulnerable encryption. A SSL scan of the major registrars begins to reveal why by viewing overall security ratings:
- Network Solutions: Grade C for chain issues, only supporting older protocols, and accepting old ciphers.
- GoDaddy: Grade C for only supporting older protocols, accepting old ciphers, and failing to support forward secrecy.
- Register: Grade F for Poodle vulnerability, weak certificate signatures, old ciphers, and no forward secrecy.
A test of some of our own websites hosted on Network Solutions also revealed vulnerability for the FREAK Attack. We submitted a high severity case to Network Solutions Support with URL of the scan. The case was immediately and summarily closed simply stating we should update our browser with no e-mail or phone call.
While you should update your workstation browser regularly, the fix on the server-side is also to patch and remove or correct errant web server configurations. Again, all customers should test their website and notify their web host for any listed vulnerabilities. Per the Microsoft Product Lifecycle, web servers running Internet Information Server 6 are no longer supported after July 14, 2015.
If you represent Network Solutions and want to step up your customer service and server security, we have an outstanding support ticket #4414169 with the cell number of a direct contact.