SSL: Adding a SAN to a UCC

“Hey, witch doctor, give us the magic words!”
(The Cartoons)

One of my servers has an SSL certificate from GoDaddy. More specifically, this is a Unified Communications Certificate (UCC), so it can have up to 5 domain names. I originally registered 3 names, and I recently needed to add a 4th. The good news is that GoDaddy let you specify extra names through their web interface and download the new certificate without charging any extra money. The bad news is that they don’t provide any documentation on installing the new certificate.

Continue reading “SSL: Adding a SAN to a UCC”

Online banking

In part 1 of my LUA series, I mentioned a virus that modified the HOSTS file on a PC. This meant that each time someone tried to connect to their banking website, they actually went to a fake website instead, even though they’d typed in the correct URL. This could also be a problem if your DNS server gets compromised, or if someone reconfigures your wireless router so that you use a rogue DNS server.

One way to protect yourself is to use https. If you know the correct address for the website, and you see a padlock in the address bar, you can be confident that this is the real site. (This isn’t an absolute guarantee, e.g. if your PC is infected by a virus then it could add some self-signed certificates to your trusted store. However, it’s certainly a step in the right direction. Unfortunately, lots of banks haven’t quite grasped this concept.

Continue reading “Online banking”

Digital certificates

I’ve been taking an interest in computer security recently, and as part of that I’ve been investigating digital certificates, primarily in the context of code signing (e.g. applications/macros/plugins).

There seem to be two main misconceptions here (at opposite ends of the scale), which are worth addressing:

1. “If something has been signed then it’s safe.”

2. “Just because something’s been signed, that’s no guarantee of safety, therefore signing is pointless, and it’s just a way for Microsoft to extort money from people while spreading FUD.” (FUD = Fear, Uncertainty, and Doubt.)

Continue reading “Digital certificates”