Blog

UPDATE Supercloud SET status = ‘open alpha’ WHERE product = ‘D1’;
In May 2022, we announced our quest to simplify databases – building them, maintaining them, integrating them. Our goal is to empower you with the tools to run a database that is powerful, scalable, with world-beating performance without any hassle. And we first set our sights on reimagining the database development experience for every type of user – not just database experts.

Over the past couple of months, we’ve been working to create just that, while learning some very important lessons along the way. As it turns out, building a global relational database product on top of Workers pushes the boundaries of the developer platform to their absolute limit, and often beyond them, but in a way that’s absolutely thrilling to us at Cloudflare. It means that while our progress might seem slow from outside, every improvement, bug fix or stress test helps lay down a path for all of our customers to build the world’s most ambitious serverless application.

However, as we continue down the road to making D1 production ready, it wouldn’t be “the Cloudflare way” unless we stopped for feedback first – even though it’s not quite finished yet. In the spirit of Developer Week, there is no better time to introduce the D1 open alpha!

An “open alpha” is a new concept for us. You’ll likely hear the term “open beta” on various announcements at Cloudflare, and while it makes sense for many products here, it wasn’t quite right for D1. There are still some crucial pieces that are still in active development and testing, so before we release the fully-formed D1 as a public beta for you to start building real-world apps with, we want to make sure everybody can start to get a feel for the product on their hobby apps or side-projects.

What’s included in the alpha?

While a lot is still changing behind the scenes with D1, we’ve put a lot of thought into how you, as a developer, interact with it – even if you’re new to databases.

Using the D1 dashboard

In a few clicks you can get your D1 database up and running right from within your dashboard. In our D1 interface, you can create, maintain and view your database as you please. Changes made in the UI are instantly available to your Worker – no redeploy required!

Use Wrangler

If you’re looking to get your hands a little dirty, you can also work with your database using our Wrangler CLI. Create your database and begin adding your data manually or bootstrap your database with one of two ways:

1. Execute an SQL file
```
$ wrangler d1 execute my-database-name --file ./customers.sql
```
where your .sql file looks something like this:

customers.sql
```
DROP TABLE IF EXISTS Customers;
CREATE TABLE Customers (CustomerID INT, CompanyName TEXT, ContactName TEXT, PRIMARY KEY (`CustomerID`));
INSERT INTO Customers (CustomerID, CompanyName, ContactName) 
VALUES (1, 'Alfreds Futterkiste', 'Maria Anders'),(4, 'Around the Horn', 'Thomas Hardy'),(11, 'Bs Beverages', 'Victoria Ashworth'),(13, 'Bs Beverages', 'Random Name');
```
2. Create and run migrations

Migrations are a way to version your database changes. With D1, you can create a migration and then apply it to your database.

To create the migration, execute:
```
wrangler d1 migrations create  
```
This will create an SQL file in a migrations folder where you can then go ahead and add your queries. Then apply the migrations to your database by executing:
```
wrangler d1 migrations apply 
```
Access D1 from within your Worker

You can attach your D1 to a Worker by adding the D1 binding to your wrangler.toml configuration file. Then interact with D1 by executing queries inside your Worker like so:
```
export default {
 async fetch(request, env) {
   const { pathname } = new URL(request.url);

   if (pathname === "/api/beverages") {
     const { results } = await env.DB.prepare(
       "SELECT * FROM Customers WHERE CompanyName = ?"
     )
       .bind("Bs Beverages")
       .all();
     return Response.json(results);
   }

   return new Response("Call /api/beverages to see Bs Beverages customers");
 },
};
```
Or access D1 from within your Pages Function

In this Alpha launch, D1 also supports integration with Cloudflare Pages! You can add a D1 binding inside the Pages dashboard, and write your queries inside a Pages Function to build a full-stack application! Check out the full documentation to get started with Pages and D1.

Community built tooling

During our private alpha period, the excitement behind D1 led to some valuable contributions to the D1 ecosystem and developer experience by members of the community. Here are some of our favorite projects to date:

d1-orm

An Object Relational Mapping (ORM) is a way for you to query and manipulate data by using JavaScript. Created by a Cloudflare Discord Community Champion, the d1-orm seeks to provide a strictly typed experience while using D1:
```
const users = new Model(
    // table name, primary keys, indexes etc
    tableDefinition,
    // column types, default values, nullable etc
    columnDefinitions
)

// TS helper for typed queries
type User = Infer;

// ORM-style query builder
const user = await users.First({
    where: {
        id: 1,
    },
});
```
You can check out the full documentation, and provide feedback by making an issue on the GitHub repository.

workers-qb

This is a zero-dependency query builder that provides a simple standardized interface while keeping the benefits and speed of using raw queries over a traditional ORM. While not intended to provide ORM-like functionality, workers-qb makes it easier to interact with the database from code for direct SQL access:
```
const qb = new D1QB(env.DB)

const fetched = await qb.fetchOne({
  tableName: 'employees',
  fields: 'count(*) as count',
  where: {
    conditions: 'department = ?1',
    params: ['HQ'],
  },
})
```
You can read more about the query builder here.

d1-console

Instead of running the wrangler d1 execute command in your terminal every time you want to interact with your database, you can interact with D1 from within the d1-console. Created by a Discord Community Champion, this gives the benefit of executing multi-line queries, obtaining command history, and viewing a cleanly formatted table output.

While this is a community project today, we plan to natively support a “D1 Console” in the future. For now, get started by checking out the d1-console package here.

D1 adapter for Kysely

Kysely is a type-safe and autocompletion-friendly typescript SQL query builder. With this adapter you can interact with D1 with the familiar Kysely interface:
```
// Create Kysely instance with kysely-d1
const db = new Kysely({ 
  dialect: new D1Dialect({ database: env.DB })
});
    
// Read row from D1 table
const result = await db
  .selectFrom('kv')
  .selectAll()
  .where('key', '=', key)
  .executeTakeFirst();
```
Check out the project here.

What’s still in testing?

The biggest pieces that have been disabled for this alpha release are replication and JavaScript transaction support. While we’ll be rolling out these changes gradually, we want to call out some limitations that exist today that we’re actively working on testing:
- Database location: Each D1 database only runs a single instance. It’s created close to where you, as the developer, create the database, and does not currently move regions based on access patterns. Workers running elsewhere in the world will see higher latency as a result.
- Concurrency limitations: Under high load, read and write queries may be queued rather than triggering new replicas to be created. As a result, the performance & throughput characteristics of the open alpha won’t be representative of the final product.
- Availability limitations: Backups will block access to the DB while they’re running. In most cases this should only be a second or two, and any requests that arrive during the backup will be queued.
You can also check out a more detailed, up-to-date list on D1 alpha Limitations.

Request for feedback

While we can make all sorts of guesses and bets on the kind of databases you want to use D1 for, we are not the users – you are! We want developers from all backgrounds to preview the D1 tech at its early stages, and let us know where we need to improve to make it suitable for your production apps.

For general feedback about your experience and to interact with other folks in the alpha, join our #d1-open-alpha channel in the Cloudflare Developers Discord. We plan to make any important announcements and changes in this channel as well as on our monthly community calls.

To file more specific feature requests (no matter how wacky) and report any bugs, create a thread in the Cloudflare Community forum under the D1 category. We will be maintaining this forum as a way to plan for the months ahead!

Get started

Want to get started right away? Check out our D1 documentation to get started today. Build our classic Northwind Traders demo to explore the D1 experience and deploy your first D1 database!

Article published on The Cloudflare Blog by Nevi Shah
November 17, 2022

HTTP vs HTTPS: What’s the Difference Between the HTTP and HTTPS Protocols?

The difference between HTTP and HTTPS can be the difference between your business being successful or suffering a data breach. Let’s quickly highlight the key differences you should know about these two foundational connection types

HTTP, or hypertext transfer protocol, is the default connection type that websites revert to without a special security tool called an SSL/TLS certificate. See that padlock near the top of your browser window? That means you’re using HTTPS, which is a secure connection (hence, the “S” at the end). If you don’t see one, it means you’re using an insecure (unprotected) connection that leaves your data vulnerable. (In a nutshell, that’s the difference between HTTP vs HTTPS.)

Unless you like handing out your most sensitive data like it’s Halloween candy, you’ll want to ensure you’re using HTTPS for all of your website connections.

But aside from adding an extra letter at the end of the acronym, what is the difference between HTTP and HTTPS? Don’t worry, we’ll cover everything you need to know in just a few moments.

Let’s hash it out.

A 2-Minute Overview of HTTP vs HTTPS and Their Differences

HTTP and HTTPS are both internet connection protocols — meaning they’re sets of rules that govern how you transmit data remotely between parties. (For example, between your website and the customers who connect to it.)

The difference between the two boils down to data security: One secures data in transit (HTTPS) using verified identity and public key cryptography while the other does not (HTTP). This means that while data is transmitting via HTTP, it’s vulnerable to interception attacks (i.e., man-in-the-middle attacks). HTTPS is basically HTTP with a little something “extra.”

HTTPS = HTTP + Transport Layer Security (TLS)

TLS is the successor of SSL, which you’ve likely heard of, and requires a site owner to install a special digital certificate called an SSL/TLS certificate (AKA a website security certificate). TLS combines verified digital identity and encryption with the traditional HTTP request and response messages to make them more secure. This way, any unintended users can’t intercept and read those messages in transit.

We won’t get into all of the technical nitty-gritty of how HTTPS works here — there’s not enough time for that in this article. Instead, take a look at the following illustration to see the difference between HTTP and HTTPS when it comes to securing website connections:

Image caption: A set of diagrams that display the difference between HTTP and HTTPS to secure data in transit.

Here’s a quick-glance guide that highlights the differences of HTTP vs HTTPS:

Type of Protocol	HTTP	HTTPS
What It Is (Technical Definition)	Hypertext transport protocol — this is a set of rules for transmitting data in plaintext.	Hypertext transport protocol secure — this set of rules teams encryption with verified digital identity to encrypt data in transit. This means your data is secure against unauthorized access.
Simplified Definition	An HTTP connection is like sending a postcard that’s open for everyone to see and is susceptible to unauthorized modifications.	An HTTPS connection is like sending a coded (enciphered) message that only you have the key for, and that’s sealed in a envelope with a wax stamp to protect the integrity of the message.
Requests and Responses	Request and response data for your website is not encrypted.	Uses transport layer security (TLS), formerly secure sockets layer (SSL), to encrypt data to secure data in transit.
Port Number(s)	Port 80	Port 443
How to Enable It	Doesn’t require anything special; this is the default communication protocol for data transfers. This is what servers revert to when secure connections fail, or website security certificates aren’t installed on the server.	Requires installing an SSL/TLS certificate on your server that contains verified info about your domain and organization.
How You Know It’s Enabled	Security icons display in your browser’s address bar to indicate your website connection isn’t secure (icons vary by browser): A padlock icon with a line marked through An exclamation markA padlock with an exclamation mark and “HTTPS” crossed out with strikethrough text You’ll also see “http://” at the beginning of the website’s URL. (This may require you to click on the URL to get it to display.)	A locked padlock icon that communicates that the website (or, more accurately, its connection) is secure. You’ll see “https://” display in the web address bar as well. (This may require you to click on the URL first to get it to appear.)
Security Risks	Vulnerable to man-in-the-middle (MitM) attacks that enable cybercriminals to intercept your communications and steal, manipulate or delete your data in transit.	The recommended security mechanism to protect your data in transit against MitM attacks and other related security issues.
Performance Speeds	HTTP is faster than HTTPS, but the difference is negligible and doesn’t outweigh the security benefits of the latter.	HTTPS is slower but more secure than HTTP. However, HTTP/2, which compresses data and supports multiplexing, is faster and requires the use of HTTPS.

Why You Should Use HTTPS Instead of HTTP

When users visit websites loading via HTTP, they’ll see “Not Secure” messages that caution proceeding any further. As you can imagine, these warnings can have negative effects on your reputation and relationship with customers. After all, why should they trust you when you’re making no visible effort to keep their data secure? They shouldn’t, and rightfully so. This is why you need to step up and do something about it to make your website more secure.

Before the internet, you physically had to meet up with someone to securely exchange data. (Think of clandestine meetups in classic spy movies). Otherwise, you’d risk a message being intercepted where someone could make unauthorized changes to its contents, and you’d never know the difference.

In an age of near-instantaneous communications, these time-consuming and expensive rendezvous are no longer necessary. Public key encryption, which is at the core of what makes HTTPS possible, enables people the world over to engage in secure remote communications.

Enabling HTTPS on your website is a smart move for several key reasons:

Resolves the security issues plaguing HTTP requests and responses
Requires the verification of your site’s digital identity
Gets rid of the ugly “Not Sure” and “Insecure Website” warnings that drive away customers

How HTTP & HTTPS Sites Display in Your Browser (Chrome, Firefox, and Microsoft Edge)

Look at the web address bar in the Google Chrome browser: Is there a locked padlock icon displaying? How about an “https://” displaying in the URL itself when you click on it? If you answer yes to either (or both) of these questions, great! This means you’re using a secure, encrypted connection.

A screenshot of Hashed Out, which loads using a secure HTTPS connection — *Image caption: A screenshot example of a secure website that’s using an HTTPS connection. This is demonstrated through the inclusion of the security padlock icon to the left of the website URL.*

If your answer is no because you’re not seeing a locked padlock in Chrome but are seeing an exclamation point (or a padlock with an exclamation point), it means the website is using HTTP and isn’t secure:

A screenshot of an example web page that's loading via the insecure HTTP protocol — *Image caption: A screenshot of an insecure (HTTP) website as it displays in Google Chrome. This exclamation point is meant to catch the user’s attention and warn them that the website is insecure.*

A screenshot of BadSSL.com loading an example that shows an expired SSL/TLS certificate error with a — *Image caption: A look at how Google Chrome displays HTTP error messages (in this case, how an expired SSL/TLS certificate displays).*

Unsurprisingly, browsers like to put their own spins on things. Mozilla’s Firefox browser takes a slightly different approach, displaying the padlock with a red line through it in the address bar:

A screenshot of a real-world example that shows an HTTP (insecure) site loading in the Firefox browser — Image caption: A screenshot of a website that’s loaded via an insecure (HTTP) connection on Firefox. The same concept applies here as with Chrome — only this time, it uses a red slash to indicate the website’s insecurity.

Similar to Google Chrome, Microsoft’s Edge browser also wants it to be obvious that you’re using an insecure website. They use virtually the same UI with a combination of colored exclamation points and strikethrough text to catch your attention — they just don’t use as much red as Chrome for SSL/TLS related error messages. For example, check out this screenshot from an example insecure website:

HTTP vs HTTPS graphic example: An insecure website loading in Microsoft Edge. — Image caption: A screenshot of a website loaded via an insecure (HTTP) connection in the Microsoft Edge browser. This is like the love child of Chrome and Firefox’s warning indicators: It has the exclamation and “Not Secure” message like Chrome but the red coloration like the slash mark in Firefox.

Final Thoughts on HTTP vs HTTPS Differences

It’s easy to see why enabling HTTPS on your website is a no-brainer. While HTTP is technically faster in terms of performance, that gets blown out of the water when you consider the security advantages that its more secure counterpart offers. HTTPS pairs verified digital identity with encryption to ensure that only the right party is able to access your secure data. HTTPS clearly wins the “HTTP vs HTTPS” battle.

In the overwhelming majority of situations, there’s no excuse for using an insecure HTTP connection for your website. The few-and-far-between exceptions would be websites where no sensitive information is requested or shared by site users (i.e., informational websites, but even then there may be an admin login URL). If your organization has an ecommerce store, lets users log in, or otherwise collects sensitive data, then you’d better secure your website ASAP with HTTPS.

Any delay further leaves your (and your customers’) data open to theft, modification, and other issues.

November 17, 2022

5 Examples of When to Use a Digital Signature Certificate
Whether you’re a software creator or sales manager, digital signatures are essential to the security and authenticity of your data. Here are several of the ways that you can use digital signature certificates to enhance trust in your organization

We live in a world where you really have to question everything: is this email from your boss legitimate? Is the software update you want to install authentic, or is it a trojan that’s waiting to infect your device? When you log in to your favorite eCommerce website, how do you know it’s legitimate?

A digital signature certificate could hold the answer in all of these cases. These tiny data files help your web or email client verify that the file or other party you’re connecting to is trustworthy and authentic. This way, you don’t inadvertently share your sensitive login information or other data with cybercriminals.

But how can you use digital signature certificates to your advantage? We’ll go over all of that in just a few moments. But first, we think it would benefit our newer readers to briefly recap what a digital signature is and why you need a digital signature certificate to create it.

Note: If you’re already well acquainted with digital signatures and digital signature certificates, jump ahead to our list of digital signature certificate use cases.

What Is a Digital Signature? A Quick Recap

Digital signatures, also called public key signatures, are a cryptographic method of showing who created a digital asset and ensuring the item hasn’t been changed by another party. Examples of such assets include emails, PDFs, Word files, software application codes, etc. Applications frequently use visual marks of some kind (e.g., a ribbon mark in Microsoft Outlook) to represent digital signatures.

These signatures are trusted because you need to have a special file called a digital signature certificate in order to sign them digitally. But before you can get this digital certificate, a publicly trusted third party (called a certificate authority or CA) has to carefully vet your identity. Once you receive and start using your digital signature certificate, it proves that whatever you sign is authentic because it was created and signed by you, and your identity has been validated.

Digital signatures are a type of electronic signature. But unlike regular electronic signatures, which generally look similar to handwritten signatures, digital signatures might not look anything like traditional signatures. Here are a few quick examples to showcase the difference between electronic and digital signatures:

Image caption: A visual comparison that shows the difference between some of the visual indicators that may display for an electronic signature (left) and a digital signature (right).

How Digital Signatures Are Created

To create a digital signature, you first need to have a digital certificate in hand. A digital certificate is a small data file that contains verified, identifying information about you or your organization. (This is the main info that displays to users.) But that’s not all that’s required. Without getting too technical, digital signatures are created by applying two cryptographic tools to the data you wish to protect:
- A special cryptographic function (called a hash function or hash algorithm) — This creates a hash value (a mishmash of letters and characters) of a fixed length, which masks the true size of the input and ensures the integrity of the data.
- A private key, which encrypts the hash value — When the recipient receives or downloads the file, they can decrypt it using the signer’s public key. This key ensures only the intended user can read the data.
Digital Signatures Enable You to Prove You and Your Files Are Legitimate

A digital signature validates your identity to other parties and ties it to whatever you’ve created and signed. The important takeaway here is that digital signatures offer two key qualities that you won’t find in regular electronic signatures:
- Authentication — This means you can prove that you or something you created is legitimate.
- Non-Repudiation — This ensures recipients that you, and only you, created or signed the item in question; that an imposter didn’t fraudulently make it.
Historically, if you wanted to prove that you’re the legitimate signer of a document, you’d have to meet up with a public notary to have them observe you signing it. This process required providing the notary with verifiable proof of identity — this is typically some form of ID from a trusted entity (i.e., your driver’s license or ID issued by your state or country’s government).

This is fine if you’re physically located in the same area where it’s easy to meet up to carry out this process. But what if you’re trying to do business with someone in another country? Meeting up face-to-face then becomes a lot more complicated and costly.

So, where do you find digital signatures? All over the place, honestly. You’ll find digital signatures used in everything from website connections to document signing.

You Need a Digital Signature Certificate to Use Your Digital Signature

Digital signatures are typically stored in special files known as digital certificates. For the sake of this article, we’ll call them digital signature certificates. Digital signature certificates are small digital files that enable you to use those signatures online.

A few examples of these digital signature certificates include:

Of course, there’s another type of digital certificate that uses digital signatures: an SSL/TLS certificate. This file is what enables you to prove that your website is legitimate because it’s been signed off on by a trusted CA (like DigiCert or Sectigo). But we’ll talk more about that in a little bit.

Okay, now that we have all of that out of the way, let’s jump right to what you need to know about how you can use each of these digital signature certificates…

5 Digital Signature Certificate Use Cases For Your Business

For virtually all of our readers, you’re likely already using digital signature certificates in one way or another (you just might not know it). However, there may be some use cases that you’re not as familiar with or aren’t sure how to implement within your IT environment. We’re here to explore those and more:

1. You Need a Way to Show Your Microsoft Office and PDF Files Are Authentic

Image caption: A screenshot of how the digital signature information displays in a digitally signed Microsoft Word document.

Nowadays, you practically can’t do anything within your business without using Word, Excel, or PDF files. Of course, you’d like to assume that someone will send you only legitimate files via email. However, the reality isn’t as pretty. While it may be true, say, 90% of the time, the remaining percentage is enough to crack those rose-colored glasses.

As recent cyber security statistics and cyber crime statistics show, the threat landscape continues to change. New threat actors seemingly arrive on the scene almost daily and attack methods evolve with them. For example, SonicWall reports the prevalence of malicious Microsoft Office files decreased 64% in 2021; malicious PDFs, on the other hand, increased 52%.

So, how can you show users that your documents and files are legitimate? Digitally sign them first using a document signing certificate. For example, this is what it looks like when you sign a Word document using a document signing certificate:

Here’s what it looks like when you sign an Adobe PDF file with an applicable digital signature certificate:

Image caption: A screenshot of how a digital signature’s information displays in a digitally signed Adobe PDF file.

2. You Want to Eliminate Warning Messages When Users Download Your Software

SonicWall’s 2022 Cyber Threat Report data shows that malicious executables represented a whopping 30.27% of the cybersecurity company’s malicious file detections. As such, as a software developer or publisher, you need to have a way to show that:
- Your software is authentic,
- It’s actually from you, and
- No one’s modified it.
You can do this using a code signing certificate. These certificates are typically offered with two options of validation levels: organizational (i.e., standard) and extended. (Note: Some certificate authorities offer individual validation as well.) When you use this type of digital signature certificate to sign your software, you attach your organization’s verified information to the file regardless of the validation type you choose.

Image caption: A set of screenshots that show the difference between how files display when they’re digitally signed (right) and are not digitally signed (left). A digital signature certificate lets you display your verified publisher name on the installation prompt screen.

Both types of certificates are trusted automatically by browsers and operating systems. The big difference between the two validation levels is that Windows Defender SmartScreen requires an EV certificate if you don’t want an ugly warning message to pop up:

Image caption: A screenshot of the warning message that Windows Defender SmartScreen displays when you try to install unsigned software.

3. You Want to Give Customers and Prospects a Reason to Trust Your Website

Trust is hard to earn yet fragile as glass. Once you earn your customers’ trust, you need to do everything possible to protect it. Having a way to prove that your website — your brand’s digital representation — is legitimate is essential to that mission.

Every time you visit your favorite website, the server sends your browser a file (i.e., an SSL/TLS certificate) containing crucial identifying data that proves you’re connecting to the right server. This website security certificate is issued and digitally signed by a publicly trusted entity known as a certificate authority (CA). The CA’s trusted root

Image caption: A screenshot of the certificate authority’s chain of trust, which showcases the digital signatures of each certificate that signs the next to attest to its authenticity.

The CA’s digital signature means that this globally trusted entity is vouching for you, saying that you’ve, essentially, been vetted and are trusted. Having such a way to prove your organization’s authenticity is particularly crucial when you consider recent data from Bolster shows that their systems detected nearly 10.7 million phishing and scam pages in 2021 alone. To put this in more relatable terms, it means Bolster’s team detected an average of 29,190 fraudulent pages every day throughout the year.

Want your authentic website to stand out from the sea of fraudsters’ sites? Then slap your vetted and validated identity on it by installing an SSL/TLS certificate right away. In addition to asserting your digital identity, SSL/TLS certificates enable users to communicate securely with your site. If you install an extended validation (EV) code signing certificate, then you take your digital identity to another level by displaying your verified company information upfront. This way, users don’t have to dig around your certificate info to find the details.

Image caption: A screenshot of the verified company information for TheSSLstore.com.

4. You Need to Prove to Recipients That Your Email Communications Are Authentic

Phishing is one of the top cyber attack methods used by cybercriminals. Verizon’s 2022 Data Breach Investigations Report (DBIR) data shows that email is one of the two leading attack vectors used in known data breaches. Furthermore, their report indicates that 75% of the malware the median organization received in 2021 came via email.

Sure, you can — and should — train your employees to recognize the threats associated with phishing attacks and social engineering. But it doesn’t hurt to add another more technical layer of security to the equation; this is where digital signature certificates for email come into play.

These certificates are known as email signing certificates or S/MIME (single/multi-purpose internet mail extension) certificates. They allow you to attach your digital signature to messages so your recipients can confirm they came from you. These certificates offer the added benefit of enabling you to encrypt your emails as well. This helps to provide end-to-end encryption by securing the emails before they leave your email server.

Here’s a quick look at what a digitally signed email looks like to your recipient:

Image caption: The screenshot above shows both the verified “signed by” information and the ribbon icon that indicate I’d digitally signed and sent the email to one of my colleagues.

5. You Want to Authenticate Without the Risks Associated with Traditional Passwords

There’s no such thing as a perfect authentication method; an enterprising cybercriminal will inevitably find a way to authenticate as you (fraudulently) if they’re truly motivated. But the goal is to make yourself as difficult a target as possible; this way, 99% of cybercriminals will give up and move on to the next target. Make yourself one of the hardest-to-reach fruits on the tree instead of one of the easy-to-steal, low-hanging fruits.

This is where a type of digital signature certificate, known as a client authentication certificate, can come in handy. A client authentication certificate enables you to authenticate without having to type in a username or password. Instead, you have a PKI certificate installed on your device, enabling you to authenticate automatically.

Why is this necessary? ForgeRock reports that 50% of cyber attacks they studied were due to unauthorized access through various account compromises. Of course, there are many ways accounts can become compromised. One of the most common methods is phishing, which involves an attacker stealing a user’s login information using social engineering tactics.

Using PKI-based authentication instead of a username-password combination means you no longer have a password that can be phished or stolen via malware. You simply go to the web app or system you have permission to access, and the authentication “magic” happens on the backend automatically. No muss, no fuss.

Image caption: An example of a client authentication certificate. This type of digital signature certificate enables a user to authenticate automatically without using traditional login credentials.

Final Takeaways on Digital Signature Certificates

It’s now more important than ever to secure your organization’s digital identity and data. Choosing to use a digital signature certificate to secure your digital assets is the difference between sending or receiving authenticated communications or files instead of unauthenticated (and potentially dangerous) ones.

To get a digital signature certificate for your website, emails, documents, or software:
- Evaluate what you need to secure and authenticate.
- Go to your favorite CA or authorized reseller’s website.
- Choose the certificate(s) based on the type(s) of coverage and validation type.
- Purchase your certificate(s).
- Generate a certificate signing request (CSR) for domain validation (DV) and organization validation (OV) certificates, if applicable.
- Provide the CA with the necessary organizational information to complete validation.
- Collect your digital signature certificate and install it on your server, device, or client.
- Start using your certificate right away!
Article published on TheSSLStore by Casey Crane
November 11, 2022
What Is Brand Impersonation? A Look at Mass Brand Impersonation Attacks
Brand impersonation attacks hit companies ranging from small businesses to giants like Microsoft and Facebook. Explore what these types of attacks are and how you can protect your organization and customers

What do Microsoft, Facebook, and Crédit Agricole all have in common? Sure, they’re all big-name companies, but something else they share is that their brands are the three most commonly used in brand impersonation scams. These cyber attack scams involve someone pretending to be your company.

It’s said that imitation is the sincerest form of flattery, but that doesn’t hold true with brand impersonations. In these scenarios, bad guys use your name and reputation to swindle customers out of their login credentials, other sensitive data, and hard-earned money. But it may surprise you to know that your company isn’t a target in this situation. The target (i.e., the victim in this case) is the customer or other potential user who receives the deceptive communications and falls for it. Your company is simply a means to an end to help bad guys reach their true goals.

As you can imagine, mass brand impersonations result in significant costs and lost trust for those affected brands. The Federal Trade Commission (FTC) reports that the reported costs of business and government impersonation scams increased 85% year over year, bringing total losses from October 2020 to September 2021 to a whopping $2 billion! (This doesn’t include costs of impersonation scams that have gone unreported — and who knows how many of those have gone on that the FTC just doesn’t know about!)

But what exactly is brand impersonation? And, more importantly, how can you use digital identity to protect your brand and customers against these types of cyber attacks?

Let’s hash it out.

What Is Brand Impersonation? A Look at Brand Spoofing

Brand impersonation, or brand spoofing, is a phishing tactic that involves cybercriminals falsely representing themselves as your organization or one of its employees. This is typically done to get people (e.g., your customers or other users) to believe they’re interacting with your company. This way, they’ll be more willing to share their personal or otherwise sensitive information.

You know those fake Walmart or Amazon emails you always get in your junk mail? Yeah, those are just two examples of the types of mass brand impersonation you’ll commonly see nowadays. The idea is to get you to click on a link that takes you to a fake login portal where you’ll be prompted to provide sensitive information such as your username and password. Since this phony site is controlled by the attacker, they’ll be able to steal your login credentials or other information easily.

Brand impersonation attacks are often a shotgun “spray and pray” approach wherein an attacker sends out mass emails to a bunch of people with the hope that at least a few will fall for them. Bad guys ride the coattails of the trust your company has established with customers to trick them into doing one or all of the following:
- Logging into a fake account portal that enables the attacker to steal their login credentials
- Making payments for fraudulent products or services
- Providing other desired sensitive information
- Installing malware onto their devices
But what do some of these brand impersonation emails look like? In truth, you’ve probably already received some and just didn’t know it. Let’s take a quick look at a couple of brand impersonation scam emails I’ve received in the past few months.

A Look at Real-World Brand Impersonation Scams

I frequently receive fake Norton LifeLock and Microsoft emails — almost daily, in fact. Suppose I was a legitimate Norton LifeLock customer and wasn’t paying attention to the sender’s email address. In that case, I might not notice that an email came from an unrelated domain. As a result, I might wind up handing my username, social security number, or other sensitive information over to a cybercriminal on a silver platter.

Here are a few examples of Norton LifeLock phishing emails I’ve received:

Image caption: A side-by-side screenshot of three Norton LifeLock scam emails I’ve received.

Look at all of the different invoice numbers and amounts, ranging from $214 to $463. Notice that the emails are all sent to me using the BCC field instead of including me as the only email contact. All of these factors, coupled with the fact that the senders’ email addresses have nothing to do with Norton and the messages are super generic, help me recognize that these emails have “phishing” written all over them.

Common Brand Impersonation Scams and Attack Vectors

Brand impersonation attacks can occur in many ways. Attackers often create emails, text messages, social media profiles, and/or websites that look like they’re from a legitimate brand to win the trust of their targets.

A few of the most common organization or brand impersonation scams you’ll find include:
- Tech support scams — These scams often involve an attacker coercing a victim into downloading malicious software onto their devices under the false premise that their device is infected with malware. FBI data shows that 23,903 tech support fraud complaints were received in 2021 with losses surpassing $347 million.
- Vendor scams — Not all targets are consumers. In some cases, attackers will impersonate one business in order to target another. In these cases, cybercriminals will create fake invoices that they send via email to trick the target organization’s employees into clicking on it and installing malware. Sometimes, they’ll go as far as to create fake websites and domains that closely resemble the real organization’s website to trick the victim into visiting it.
- Subscription scams — Here, attackers convince unsuspecting users that they’ve been charged for services or products. To get a refund, they must call a call center or download some type of software. (Think of the Norton LifeLock scam we talked about earlier.)
- Law enforcement scams — Bad guys have no shame. Many cybercriminals have no qualms about pretending to be someone at your local police station or even impersonating a federal agent. Here, they’ll threaten targets with fines or even prison if they don’t comply with their demands.
- Job offer/recruitment scams — Yes, truly, nothing is sacred. Whether you’re unemployed or are just looking for a new position, beware of fake job recruiters. These are among the lowest-of-the-low scammers who prey on individuals; they make false promises of great jobs to lure them into sharing sensitive information.
4 Methods of Brand Impersonation Attacks (and How to Tell They’re Scams)

Let’s explore a few examples of the most common ways cybercriminals carry out these attacks:

1. Email Mass Brand Impersonation Attacks

This is a favorite approach for many cybercriminals because emails are cheap, quick, and easy to send. But what makes them particularly attractive is that they can simultaneously use these electronic messages to target many potential users. Cybercriminals can send out emails from domains that look similar to yours to trick users into providing info, opening malicious attachments, or going to phishing or malicious websites. This approach doesn’t require that they have access to your account (such as in an account takeover [ATO] attack — more on that in a second).

Let’s consider the following example of a brand spoofing email I received that was targeting American Airlines customers:

Image caption: A screenshot of an American Airlines phishing scam email I’d received.

Overall, this phishing email is pretty well put together. The grammar is pretty good, the graphics look official, and the display of “American Airlines” as the sender is a nice touch. However, if you dig a little deeper, you’ll start to notice a few key points that give away this is a spam email.

First, let’s start with what the sender’s email address actually looks like when you go beyond the surface:

Image caption: An up-close screenshot that showcases the sender’s non-American Airlines email address.

Next, let’s look at the URL that the OK button is trying to direct me to:

Image caption: An up-close screenshot that showcases the non-American Airlines URL that the button tried to direct me to click on.

That part doesn’t look very official, does it? Definitely not. And it’s important to note that Googleapis links are commonly tied to phishing scams and are used to distribute malware. This means that if I end up clicking on the link, it could result in malware being installed onto my phone or computer. Yikes.

Let’s consider another example that, in some ways, is a little trickier. It comes from what appears to be a legitimate email account and domain. This may have been a case of an account takeover attack, which means that an attacker gained access to a legitimate email account and used it to send out phishing or malicious messages.

Image caption: A screenshot of an email I received containing a fraudulent (and potentially malicious) PDF attachment.

The first glaring issue here is that I don’t do business with this organization, nor am I one of their patients. Second, let’s take a closer look at a link that was embedded in the View Attachments button:

This link would take you to an unknown website URL that is designed to appear to come from Adobe. But not everything is as it appears; when I checked this link against VirusTotal’s search tool, the search result shows that it’s flagged as malicious:

Image caption: A screenshot of the URL checking results of the suspicious emailed link.

Yup, it’s always a good idea to do a secondary check before clicking on any unknown (and unsolicited) links. Clicking on this link opens you up to the risk of getting malware onto your device or going to a phony login portal that can steal your username and password.

2. Brand Impersonation Phone Calls

Cybercriminals use voice phishing (vishing) to carry out attacks. In this case, bad guys use phones (often with the help of automated dialers) or VoIP systems to call people while pretending to be well-known companies or organizations. Some common examples of vishing scams involve personating the following companies or agencies:
- Technology companies,
- Financial institutions, and
- Law enforcement and other federal agencies (such as the FBI or IRS).
Bad guys know that fear is a big motivating factor. This is why some threat actors love to use scare tactics to coerce or manipulate victims into doing something they normally wouldn’t (like handing over account information or other sensitive info).

3. Brand Impersonation SMS Text Message Scams

A screenshot of a phishing SMS text message (smishing message) impersonating Walmart.

SMS phishing, or smishing, is an approach cybercriminals use to drive targets to phishing or malicious websites. They send SMS text messages containing links to websites (under the guise of enticing surveys, sweepstakes, or free gift card offers) to random or targeted users’ phone numbers to see who will bite. An example of such a text message is the screenshot displayed to the right.

The goal here is to trick victims into believing that the messages are legitimate. This way, they’ll be more likely to click on the link in the message, which can lead to a fake login portal or a site with drive-by downloaders.

4. Some Cybercriminals Combine Multiple Phishing Methods

Some brand impersonation attacks involve a combination of different attack methods. For example, I’ve received Microsoft subscription scam emails wherein the attacker says I’ve been charged for a phony recurring subscription. To cancel it or get a refund for the charges, I’m prompted to call a phone number where they can walk me through downloading a remote desktop protocol (RDP) application that will give them access to my device.

The attackers use the excuse that I need to download the program to connect to their bank server to initiate a money transfer to my account for reimbursement. Of course, the truth is that the whole situation is utter nonsense: there is no refund, as the charge wasn’t real.

The attacker’s goal is to get me to give them remote admin access to my device so they can:
- Install malware,
- Steal my information,
- Encrypt my files, or
- Do other nefarious things.
Needless to say, if I fall for even one of these scams, it’s bad news for me and will likely result in a payday for the attacker.

Mass Brand Impersonation Enables Cybercriminals to Capitalize on Your Reputation

If you’re like most organizations, you’ve worked long and hard to establish your business. You’ve probably spent many long days, nights, and weekends trying to win over customers and prove your value as a reputable organization they can trust. All your hard work goes out the window when someone hijacks your good name and uses it to cause harm through mass brand impersonation attacks and scams.

Attackers use phishing and other social engineering tactics to make their phony emails, text messages, and/or emails appear legitimate. To help prevent some of the usual attack vectors and help strengthen your brand against these types of attacks, it’s crucial that you take steps to secure your digital identity.

What Is Digital Identity and Where Does It Come Into Play?

Your digital identity is what helps people know you’re really you in the digital world. It’s a combination of various verifiable identifying data that offers assurance to others that you or your organization is legitimate and not an imposter.

An easy-to-recognize example of digital identity is an organization validation (OV) or extended validation (EV) SSL/TLS certificate. This digital certificate file ties key organizational information to your domain — verifiable information such as your common name and locality information — and is a key component of public key infrastructure (PKI), which we’ll speak to in just a few moments.

When you install an EV SSL/TLS certificate on your web server, it communicates to users’ browsers that your website is legitimate and displays your verified organizational information upfront. Here’s a quick example of how that looks on our website:

Image caption: A screenshot of The SSL Store’s EV SSL/TLS certificate.

How to Protect Your Digital Identity Against Use In Brand Impersonation Scams

Now that we know what mass brand impersonation is and why it’s such a problem, there’s only one big thing left to talk about now: what you can do to prevent these impersonation attacks from affecting your organization.

Public key infrastructure (PKI) — essentially, the backbone of internet security — relies on the use of PKI digital certificates. These certificates come in multiple varieties and serve different purposes. Here are some of the ways that you can protect your brand online using PKI and other methods.

Secure Your Domain with an EV SSL/TLS Certificate

Installing an extended validation (EV) SSL/TLS certificate ensures you’re asserting your digital identity in the biggest way possible. An EV certificate ensures your company’s verified name displays as prominently as possible while also including more detailed organizational information in your certificate details.

You may also want to consider registering domains that closely resemble yours and install redirects to your main site to keep cybercriminals from registering those domains and doing anything bad in your name.

Use Email Signing Certificates to Add Your Signature to Outbound Emails

Much like how monarchs and others throughout history used wax seals to authenticate their correspondences and ensure their integrity, you can use a special digital certificate (called an email signing certificate) to do the same with your emails.

Digitally signing your emails is the modern solution to an age-old problem of communicating securely with someone when you’re physically not in the same location. Using a cryptographic signature provides a way for your email recipients to verify that your messages are authentic and haven’t been altered.

Protect Your Domain Against Unauthorized Usage by Setting Up DNS Records

Set up domain-based message authentication, reporting, and conformance (DMARC) records on your domain name system. This builds on the sender policy framework (SPF) and domain keys identified mail (DKIM) and helps to ensure that only authorized users can send emails on behalf of your organization’s domain. DMARC is also a requirement of BIMI, which we’ll speak about next.

Show Customers Your Emails Are Legitimate Before They Even Click on Them with BIMI & VMCs

Implementing brand indicators of message identification (BIMI) in combination with using verified mark certificates (VMCs) adds another layer of digital identity to your outbound emails. This allows you to brand your mail right in recipients’ inboxes. This way, recipients know your emails are legitimate just by looking at your verified logo next to your messages in their inbox.

Apple and Google support using BIMI and VMCs to display your verified logo in emails received by users on their respective platforms.

Assert Your Digital Identity in Your Code to Secure Your Software & Supply Chain

If you’re a developer or publisher, this is for you. Digitally signing your software, patches, scripts, and other executables using a code signing certificate enables you to prove their authenticity to browsers and operating systems. This process attaches your verifiable digital signature to your code using cryptographic functions showing that your products haven’t been altered since they were originally signed.

Doing this assures your users that your software is legitimate and hasn’t been modified without your knowledge.

Of course, it’s important to note that these certificates won’t stop attackers from simply claiming to be you and delivering unsigned code. However, what they do is provide users with a way of determining whether your communications, website, or software are legitimate. This way, if they download software or receive an email from “your company” (i.e., an attacker) that’s not digitally signed or doesn’t contain your verified logo, it’ll give them a reason to pause.

Train Your Employees to Recognize Authentic Company Communications

Educating and training your employees about cybersecurity is crucial for helping them keep your organization safe. If your employees have no clue as to how to identify a legitimate email from an imposter’s fake one, then you might as well post a sign out front stating, “cybercriminals — make yourselves at home.”

As part of the training you provide, you’ll want to educate your employees to recognize and decipher your legitimate communications quickly and easily. This way, they can quickly assess messages to figure out whether they’re authentic. A well-known example of a company that takes this approach is PayPal:
- Dedicates an entire section of their website to educating users
- Sends out emails regularly to their users, warning about scams and providing examples of emails to avoid
- Displays other messages to educate users of the dangers of brand impersonation and other phishing scams
Monitor Your Brand Online

Your work isn’t done yet. Another crucial step in preventing brand impersonation (or, at least, mitigating its impact) is keeping an eye on your brand name online. Look out for instances of how and where it’s being used and referenced by other parties. You can even set up Google Alerts to inform you any time someone publishes something relating to specific keywords or key phrases you enter — for example, your company’s name.

To set up Google alerts, check out this resource from Google’s Support page.

Keep Your Secrets Safe

We’re going to leave you with one final but important thought. For you to put your digital identity to use in an effective (and secure) way, you must properly manage your PKI certificate keys, passwords, and other “secrets.” If you don’t carefully manage your access information and even just one of them gets lost or stolen, you risk exposing your sensitive data and systems or someone signing things they shouldn’t in the name of your company.

Either way, the scenario will likely result in damage to your brand and reputation, fines, or maybe even lawsuits down the road. It’s just bad news all the way around with no upside.

To learn more about certificate management, be sure to check out our Certificate Management Best Practices Checklist.
Article published on Thesslstore
October 21, 2022
SSL Certificate Installation Instructions & Tutorials

SSL certificate installation is typically performed by the hosting company that provides services for the domain. However, you may also choose install an SSL certificate yourself. Select your server type from the list below to find detailed instructions for installation.

I am going to recommend an article written on DIGICERT team for almost all type of servers. Here is the link.

After the installation, check your ssl installation here.

This tool can verify that the SSL Certificate on your web server is properly installed and trusted. SSL Checker will display the Common Name, server type, issuer, validity, certificate chaining, and more certificate details.

If you feel your website is not displaying the proper security lock, the Why No Padlock tool is just for you! By simply entering your URL into here in the box, you can instantaneously check if there are ANY insecure links found within your URL.

October 19, 2022
New Research Highlights Importance of Cybersecurity in Small, Medium Businesses
We’ve dived head-first into Devolution’s latest report (State of Cybersecurity in SMBs 2022-2023) on cybersecurity for small and mid-size businesses so you don’t have to. Here’s are the five key highlights you need to know from this new study…

Cybersecurity is an important investment for all businesses and organizations, regardless of size. As someone at a small or mid-size business, you may think that small businesses are less-tempting targets for cybercriminals — but the opposite is actually true. For example, Barracuda reports that companies with fewer than 100 employees are 350% more likely to suffer social engineering attacks than their enterprise counterparts.

Since SMBs make appealing targets for cybercriminals (especially since they make up 99.9% of all businesses in the U.S.), it’s crucial to stay abreast of the latest industry data. This can be hard, though, when you’re trying to run or operate a smaller business. This is why we want to help by sharing some of the latest data in one short(ish) article.

Devolutions released its third consecutive State of Cybersecurity in SMBs 2022-2023 report. This year’s latest research, which was released Oct. 11, highlights that 60% of small and mid-size businesses experienced one or more cyberattacks over the last year:
- One-in-four (42%) indicate that they’ve faced upwards of five attacks in the last year
- Almost one-fifth (18%) experienced five or more attacks within the same period
We’ve picked the five most relevant data points from Devolutions’ SMB research that we think will be of interest to our readers. Be sure to check out the Devolutions website to read the full report.

Let’s hash it out.

Top Takeaway: SMBs Rank Ransomware as Their Biggest Cybersecurity Threat

81% of Devolutions’ survey respondents view ransomware as their businesses’ biggest security threat. This is followed by phishing (69%) and other types of malware (38%). In some aspects, it’s no surprise because ransomware is a major threat because it often results in the encryption or destruction of victims’ data (even when the victims pay the demanded ransom). In some cases, ransomware attacks are multi-pronged because attackers also attack victims’ data backups to cause additional damage or demand a second ransom payment.

However, I honestly figured #1 and #2 would have been reversed, particularly considering that many ransomware attacks often involve the use of phishing, as do other cybersecurity concerns. But, hey, everyone is different and has different security priorities and concerns.

Takeaway #2: Nearly One-Third of Businesses Earmark <5% of IT Budget to Security

A disturbing statistic from Devolution’s report that really stuck out to me is that 32% of small and mid-size businesses dedicate less than one-twentieth (1/20) of their IT budget to IT security. Now, consider that Connectwise reports that 69% of their survey respondents admit they’re concerned one bad cyber attack could permanently force them to close their doors. Knowing this concern and being aware that nearly one-third of organizations dedicate only 5% of their overall IT budgets to security sends the message that companies aren’t putting in much of an effort to prevent such an attack from happening.

What really drives home the dismal nature of that number is when you consider that CompTIA reports the average small business only devotes $5,000-$249,000 of their overall budget to IT each year to begin with (the “sweet spot” for SMBs ranges between $10,000 and $49,000). This means that only 5% of already potentially limited budgets is what companies are using to fund their IT security initiatives. Yikes.

Let’s take a closer look at this for a little more perspective. Imagine that your company invests $45,000 in your IT budget each year. This means that if you’re one of the 32% of SMBs that dedicate only 5% of your IT budget to IT security, then it means you’re spending just $2,250 a year to secure your organization against cyber attacks and threats. That means your cybersecurity is worth just $6.25 per day to your business — or the equivalent of a large pumpkin spice latte at a specific major coffee shop chain.

It truly is astonishing that some businesses treat IT security as the ugly, redheaded stepchild. Considering that all it takes is one cybersecurity “oops” for everything to go wrong, IT security should be ranked as one of the essential elements of your IT environment. It doesn’t matter how many new and shiny devices you have… if you don’t bother dedicating the time, money, and resources needed to keep those devices and network secure, then they won’t do you any good.

But there is some good news here: Devolutions recommends SMBs allocate between 6% and 15% of the IT budget to IT security (which includes cybersecurity). We’re happy to relay that the majority of SMB respondents (68%) fall within this range. But in a perfect world, we’d definitely prefer to see higher average IT security spending.

Takeaway #3: By and Large, Organizations Want to Increase Their IT Budget Spending

Now, let’s see what organizations are doing in terms of increasing or decreasing their IT security budgets. 49% report that they’re spending more this year on IT security than they did last year. Awesome. But this stat is tempered when you consider that 51% indicate that their budgets either decreased (6%) or remained unchanged (45%) from the previous year.

However, there is a bit of good news here. 94% of survey respondents indicate that they either plan to spend the same amount (48%) or increase their spending (46%) in the next 12 months. Of course, we’d prefer to see the higher number in the “we-want-to-increase-our-spending-on-IT-security” budget category, but I guess we’ll take the wins where we can.

There’s also one very important consideration to keep in mind when it comes to budgets and IT security spending: every organization is different and each one allocates different amounts to begin with. So, some companies may start out with a higher amount (closer to the $249,000 end of the range mentioned earlier) and need to increase it less each year while others may have a much smaller budget (like the $5,000 end of the range) and need more significant investments.

Takeaway #4: Organizations Are Starting to See the Light Regarding Password Security

Passwords are the keys to the kingdoms of most small and mid-size organizations. These are the secrets that provide access to user accounts and give access to everything from banking and finance accounts to employees’ personal records data. Comparitech, citing LastPass data, shows that small business employees are the biggest offenders when it comes to demonstrating poor password security: “Those working for companies with 1-25 staff reuse passwords an average of 14 times.”

Yeah, definitely not good. So, it makes sense that one of the sections of the Devolutions report highlights 18 security projects that respondents wanted to take on in the next 12 months… more than one-third of which relate to password or account security:
1. Introducing privileged access management (PAM) solution
2. Introducing or fully integrating two-factor authentication (2FA)
3. Implementing automatic password rotation
4. Expanding a password management tool for use by all employees (not just IT staff)
5. Hardening Active Directory
6. Implementing more granular and just-in-time access to resources
7. Shifting to passwordless authentication
Of course, using secure passwords (or implementing PKI-based client authentication) isn’t all you can or should be doing to secure access within your organization. Additional steps you can take include:
- Maintaining current user profile and permissions lists
- Implement the principle of least privilege within your IT environment (i.e., only give access to those who need it to do their jobs)
- Requiring users to use secure, encrypted connections when connecting to websites
- Educating employees on the importance of account security and best practices
- Storing only salted and peppered password hashes in lieu of plaintext passwords
- Setting authentication rate limits
- Monitoring traffic to your network, services, and applications
- Blocking access to internal resources from IPs outside your company’s geographic region
Takeaway #5: 56% of SMBs Are Content to Maintain IT Security Staffing Status Quo

Our final data point from the Devolutions report focuses more on the employees themselves:
- 38% of the survey respondents indicated that their organizations brought new employees on board since the start of the global COVID-19 pandemic (i.e., early 2020) to address IT security needs and concerns.
- Another 6% say they’re working with external service providers to achieve the same.
- The remaining 56% of respondents indicate that they’ve not hired any new cyber or IT security-related employees since early 2020.
Not bringing new employees into the fold isn’t necessarily bad news. Yes, on the one hand, it could mean that they don’t want to fork out the funds to hire new people and skills. But on the other hand, it may mean that they already have the right people and skills in place, so they don’t need to hire anyone else. (Less likely, but definitely still a possibility.)

Unfortunately, the former is the most likely scenario. Another recent survey from Cobalt (The State of Pentesting 2022) shows that nearly all of their 602 respondents indicate that they’re affected by staffing and talent shortages. Regardless of the cause of the shortages (whether they don’t hire enough people or employees leave), labor shortages ultimately lead to many security issues for the organization and team members who remain.

Final Takeaway on Cybersecurity for Small and Mid-Size Businesses

We hope this article has been enlightening and given you greater insights into investing in cybersecurity as a small or mid-size business. Whether you have just a handful of employees or 100, every person, application, and device that exists within your IT environment represents a potential attack surface that cybercriminals can target.

Having strong IT and cybersecurity is not just crucial to preventing cyber attacks, but they’re also compliance requirements for notable standards like the EU’s General Data Protection Regulation (GDPR), the U.S.’s Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry’s Data Security Standards (PCI DSS).
Source: www.thesslstore.com
October 15, 2022
Email Security Best Practices – 2022
91% of cyber attacks start with an email.

Email is by far the most commonly exploited attack vector. Each year countless organizations lose millions of dollars over lapses in email security.

And for small and medium-sized businesses, the damage can prove fatal. Recent studies have found that 60% of SMBs that get hit by a cyber attack fold within six months of the incident. And two-thirds of potential victims WOULD go under if they were successfully attacked.

So, something as trivial as learning to spot a phish can have major ramifications on your bottom line and the health of your business.

And we’ve come a long ways from the days of those poorly-worded Nigerian prince emails. It’s still unclear whether or not anyone ever clicked on those in the first place (someone must have), but nowadays phish are difficult to distinguish from the real thing. According to one survey, 97% of respondents couldn’t spot a phishing email.

The criminals use social engineering to produce believable scenarios, impersonating well-known companies or vetting potential targets on LinkedIn to tailor their approaches.

And nobody is safe, from the lowest level administrative employees on up to the C-Suite – even partners can be targeted in an effort to get at your organization.

As email becomes increasingly critical to business success, however, a stronger set of email security best practices is recommended. They can be summarized as follows:
1. Train employees on email security best practices.
2. Create strong passwords.
3. Don’t reuse passwords across accounts.
4. Consider not changing passwords regularly.
5. Use multifactor authentication (MFA).
6. Take phishing seriously.
7. Be wary of email attachments.
8. Don’t click email links.
9. Don’t use business email for personal use and vice versa.
10. Avoid public Wi-Fi.
11. Use email security protocols and tools.
October 9, 2022
SSL Installation on Webmin
The following instructions will guide you through the SSL installation method on Webmin. If you have got more than one server or device, you may need to install the certificate on every individual server or device you wish to secure. If you still haven’t generated your certificate and completed the validation method, reference our CSR Generation instructions and disregard the steps below.

Steps required:
1. Private Key
  - This file should be on your server, or in your possession if you generated your CSR from a free generator tool. On certain platforms, such as Microsoft IIS, the private key is not immediately visible to you but the server is keeping track of it
2. Server Certificate:
  - This is the certificate you received from the CA for your domain. You may have been sent this via email. If not, you can download it by visiting your Account Dashboard and clicking on your order.
3. Intermediate Certificates
  - These files allow the devices connecting to your server to identify the issuing CA. There may be more than one of these certificates. If you got your certificate in a ZIP folder, it should also contain the Intermediate certificates, which is sometimes referred to as a CA Bundle. If not, download the appropriate CA Bundle for your certificate.
Installation Steps:

Copy Certificates to the Server
Copy your certificate files (SSL & intermediates), along with your private key, and put them on your server.

Locate your Miniserv.pem file
It’s usually located in the same directory as your Miniserv.conf file. You’re going to be replacing miniserv.pem with a new one you will create shortly.

Create a new Miniserv.pem
There are two ways to do this, either enter the following command line:
cat private.keyyourdomain.crt > new-miniserv.pem
OR, you can open both your SSL certificate and private key, paste both into a new .txt file (key first, then certificate) and save it as new-miniserv.pem.

Configure your miniserv.conf file
Finally, you’ll need to add your intermediate. Open your .conf file and enter the location of the intermediate you copied to the server earlier:
extracas=/etc/webmin/intermediate_certificate.crt

Hurrah! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.

You can check your SSL installation on SSL Checker Tool.

Good luck! 😀
October 6, 2022
What Does SSL Stand For? A 10-Minute Look at the Secure Sockets Layer
What’s SSL? SSL, or secure sockets layer, is the standard technology used to secure online communications. Let’s take a quick look at what SSL is and what it does to enable your secure transactions online

You know when you go to a website and see a padlock icon in your browser’s address bar? That means the website is using SSL, or secure sockets layer. SSL secures your communication with the website so hackers can’t eavesdrop and see your credit card number or password.

(Technically speaking, SSL is an outdated term because it’s been replaced by a very similar but updated technology known as transport layer security, or TLS. But people still like to use the term SSL because it’s been around longer and, therefore, is easier to remember.)

Today, we’re taking a step back from more in-depth technical articles to take a quick look at the basics: what does SSL stand for? What is SSL? How does it work? And, of course, how you can protect your own website with SSL.

Let’s hash it out.

What Does SSL Stand For? A Quick SSL Definition of the Protocol

SSL stands for secure sockets layer. In the simplest terms, SSL is a technology that’s commonly used to securely send data (for example credit cards or passwords) between a user’s computer and a website. The term also describes a specific type of digital certificate (SSL certificate) that companies use to prove they own their domain. (We’ll speak more about that a little later.)

SSL is a protocol (i.e., a set of rules computer systems follow when communicating with each other) that was created in the 1990s to allow web browsers to securely send sensitive info to/from a website. Nowadays, however, we rely on transport layer security (TLS) to handle these tasks, but the term “SSL” has stuck around and that’s the term most people use. We’ll talk more about SSL certificates and TLS a little later in the article. But just note that since you’ll commonly see SSL or SSL/TLS being used interchangeably across the internet, we’re just going to use the term here as well to keep things simple.

If you’re looking for quick rundown of what SSL is and why it’s important, check out our TL;DR overview section.

If you want to learn how to enable SSL/TLS on your website, just click on this link and we’ll take you to that section of the article. But if you’re interested in learning more about what SSL/TLS does and how you use it, then keep reading.

How Do You Know When a Website Uses SSL/TLS?

The answer to this question is easy: your browser will tell you, usually in at least two ways:
1. The URL will start with “https://.” The “s” stands for secure and means that the website you’re visiting is using SSL/TLS to secure your connection.
2. The browser will display a little padlock icon next to the website address. This added visual security indicator communicates the website is using SSL/TLS.
The good news is that more and more websites are using SSL to keep site visitors like you and me secure. W3Techs reports that HTTPS is the default protocol for 79.6% of all websites. This is up from around 75% back in September 2021. Nice — looks we’re moving in the right direction.

What It Looks Like When You Use HTTP vs HTTPS

Here’s a quick visual comparison of a website that’s transmitting via a secure HTTPS protocol (using SSL/TLS) versus one that’s using the insecure HTTP protocol:

Image caption: A screenshot that showcases how an insecure website displays in Google Chrome.

Image caption: A screenshot that showcases how a secure website displays in Google Chrome.
- The first message prominently cautions that the site is not secure.
- The second message is the clear opposite because the website’s server is using a secure, encrypted connection to communicate with your web browser.
If the website is using HTTP, this means that any data sent from your browser to the server hosting the website risks the data being read, modified, or stolen in transit. As a website owner, it’s really bad news for you and your customers because it means their data is exposed and you may be liable for not securing it in the first place.

What Does SSL Do, Exactly? A Look at How SSL Helps You Secure Data in Transit

Now that you understand the basics of what SSL stands for and what it does, let’s take a brief look under the hood. How exactly does SSL protect website users and data against hackers?

SSL protects data while it’s “in transit” (travelling between the user’s browser and the website/web server). There are actually three different things SSL does to protect website users. SSL enables secure authentication, data encryption, and data integrity assurance. This allows you to:
1. Confirm who it is you’re connecting to (authentication)
2. Use a secure connection to send data so that it can’t be read by unauthorized parties in transit (encryption)
3. Ensures that data you send or receive isn’t tampered with somewhere along the way (data integrity).
All of these things are made possible through a cryptographic process known as an SSL handshake (AKA TLS handshake). Much like how you introduce yourself to someone and shake their hand, your computer does the same with a website’s server:
- Your browser sends a hello message to announce it wants to securely connect to the server.
- The web server responds by sending its SSL certificate (AKA a digital certificate), along with a list of algorithms it can use to securely communicate.
- Your browser uses the digital certificate, which contains identifying information about your organization, to verify the site’s authenticity (that’s the authentication part of SSL mentioned above!)
- The browser sends back info relating to the algorithms it supports. The browser and server will then use the selected algorithms for encryption and data integrity (the other two parts of SSL mentioned above!)
From there, some other technical steps take place that we aren’t going to get into right now. (Check out the previously linked article for a more in depth look at how different versions of the SSL/TLS handshake work.) Bada bing, bada boom — the end result is that your browser and the website server establish a secure connection through which you can transmit sensitive data (such as using your credentials to log in to a website).

Pretty cool, huh?

Spoil Alert: Websites Must Have an SSL Certificate to Use SSL/TLS

Remember how we mentioned an SSL certificate is part of the SSL handshake? Yep, that’s a mandatory step — every website needs an SSL certificate before it can enable SSL/TLS. An SSL certificate is a digital file (issued to the website owner by a certificate authority such as DigiCert or Sectigo) that verifies them as the legitimate owner of the website.

What’s the point of that? To help you assert your digital identity in a way that other entities (users, browsers, operating systems, etc.) can verify you’re legitimate and not an imposter. This way, when a user connects to your website, they know it’s legitimate and can establish a secure, encrypted connection.

Here’s a quick example of what the SSL certificate looks like for TheSSLstore.com:

Image caption: Side-by-side screenshots of icloudjunction.in’s SSL/TLS certificate information.

For those of you who like a little more technical knowledge about what SSL stands for: The term SSL refers to the technology (cryptographic protocol, or the instructions) that makes secure communications possible. However, people sometimes use the same term to also refer to a type of data file known as an SSL certificate (AKA a TLS certificate). This digital certificate is an X.509 file containing data that ties you or your organization’s verifiable information to the domain.

As such, it’s also known as a website security certificate because this information (along with other key cryptographic info it contains) helps to increase the security of your website’s connections.

How to Research Whether a Website is Legit Using Info in Their SSL/TLS Certificate

Ever visited a website and you weren’t sure if it was legitimate or trustworthy? Knowing how to view the details in their SSL certificate can help you figure out what company is running the website, who they are, and whether they’re a legit entity. (After all, you don’t want to share your personal and sensitive details with a potential cybercriminal!)

As you can see in the left part of the above image, this provides general information about what the certificate is used for and which entity it was issued to. The right half of the image is the Subject details, which provides additional verifiable information about our company. In this case, it provides the following information:
- Common Name (CN): www.icloudjunction.in
- Organization (O) name: Shree Tech Solutions
- Locality (L): New Delhi
- State (S): DL
- Country (C): IN
Of course, that’s not all of the information that this type of digital certificate provides. It also informs you:
- When the certificate was issued and when it will expire.
- What entity issued the certificate (i.e., who the issuing certificate authority [CA] is).
- How the certificate is intended to be used.
- Any subject alternative name (SAN) information, if applicable.
- The digital signature algorithm that’s used on the SSL/TLS certificate.
Understanding How and Where Transport Layer Security (TLS) Comes Into Play

Now, let’s really throw a wrench into things by talking more about this term we touched on earlier. TLS, or transport layer security, is a closely related internet protocol that’s so closely related to SSL that it’s actually considered its official successor. However, there are some technical differences in how SSL and TLS work, but we’re not going to dive into all of that here.

What you need to know is that when you’re on a website that’s secure by “SSL,” it’s technically secured by TLS. Unfortunately, people often use the terms SSL and TLS interchangeably. This gets confusing because so many people and organizations – ours included — still tend to use the term SSL to describe both terms.

So, why do we still call it SSL? After all, it’s a deprecated security protocol that was replaced with TLS back in 1999 after multiple iterations (SSL 1.0, 2.0, and 3.0). Frankly, it’s most likely because people are slow to change. There’s a strange tendency to stick to the terms we’re familiar with, so it’s easier for people to just call it “SSL” instead of “TLS.” (I guess, to quote a common adage, “if it ain’t broke, don’t fix it.”)

So, whether someone calls it SSL or TLS, unless they’re talking about it at a highly technical level, they’re generally referring to the same secure protocol that makes the padlock icon appear in your browser or the digital certificate file that plays a central role in making that occur.

How to Enable SSL/TLS on Your Website

Now that we’ve gotten all of that info out of the way, answering “what does SSL stand for?” you may be wondering how you can put SSL/TLS to use on your website. Good news: it’s really easy. Just follow these five steps to turn make your secure website reality:
1. Purchase an SSL/TLS certificate. Select the SSL/TLS certificate best suited for your website’s needs. We (and other authorized users and CAs) have certificates that meet virtually every price range and need. These digital files tie your organization’s verified identity to your website domain.
2. Create and submit a code signing request (CSR). This step requires you to provide specific types of information to the certificate authority (CA) that you want to issue your certificate.
3. Complete the validation process. Before a publicly trusted certificate authority will issue an OV or EV SSL/TLS certificate, the CA first researches and evaluates info relating to the requesting organization. For domain validation, only the domain gets verified via an automated process.
4. Get your certificate from the issuing certificate authority. Certificates are frequently sent to their requestors via email, so keep an eye out for messages from your issuing CA. Some certificates (domain validation certificates) take only minutes to issue while others (organization validation and extended validation certificates) take up to a few days because of their enhanced validation requirements. The general rule is this: The more sensitive the data you need to secure, the higher validation certificate you should use to display your digital identity more prominently on your site.
5. Install your certificate on your server. Of course, the specific directions will vary depending on your platform. So, check out our SSL/TLS installation instructions page for additional information.
Of course, once all of this is done, use an SSL/TLS checker tool to ensure that your certificate is properly installed and configured. This can help prevent surprise issues from coming your way.

TL;DR: A Quick Overview of What SSL/TLS Does to Boost Security

Alright, that brings us to the end of this article, which we hope helped you better understand what SSL stands for. But if you’ve skipped ahead and are now just joining us for a quick overview, SSL (or, really, TLS) is a secure internet protocol that allows users to share their data securely with websites.

The three key processes that SSL facilitates are:
1. Encryption — This cryptographic function enables you to secure plaintext data in a way that can’t be read or accessed by unauthorized users.
2. Authentication — Digital identity authentication helps you ensure that the entity (device or organization) you’re connecting to is who they claim to be.
3. Data Integrity — Data integrity ensures that the information you send or receive is authentic and hasn’t been altered in any way.
SSL, as a protocol, uses information provided by digital certificates that go by the same name (SSL certificates). Nowadays, these are technically TLS certificates, but hardly anyone actually bothers calling them that. (You know, because we’re all a tad lazy and it’s easier to call them what we’ve been calling them for years.). So, there you have it. Now you can show off your technical chops around the water cooler or during the next trivia night by being able to answer the question, “What does SSL stand for?”
October 5, 2022
Is Free SSL Right for Me?
Is Free SSL Right for Me?

When free SSL certificates came on the scene in 2016, bloggers and business owners alike cheered. And, now that Google is serving up all unencrypted pages with a “Not Secure” warning, they offer a fast, economical option for securing your website.

Free SSL certificates provide peace of mind that all information that’s shared is encrypted and protected in transit. This is an essential step in your website security. But, depending on the type of site you have and your goals—you may want to consider upgrading to a paid business-validated SSL certificate.

Here are a few things you’ll want to think through before you decide if free is the way to go.
- Identity Matters—Free SSL certificates provide encryption and validate you own your domain. This is probably sufficient if you have a blog or small personal non-business site. But, today’s savvy visitors are painfully aware of how often data gets into the wrong hands. Business-validated SSL certificates require more extensive vetting by the Certificate Authorities (CAs), so your visitors feel confident you’re a legitimate business they can trust.
- The Power of Site Seals—You may be surprised to know that, according to monetizepros.com, a whopping 61% of shoppers decided not to buy because a site was missing a trust seal. Business-validated SSL certificates, specifically Extended Validation (EV), proudly display a dynamic site seal that gives your visitors the reassurance they’re looking for.
- What If Protection—Sure, “what if” may never happen. But, if you’ve ever filed an insurance claim for your house or car, you know protection for the unexpected when you do need it is worth every penny. If something goes wrong with your certificate, even if it’s not your fault, business-validated SSL certificates include a warranty that protects you against excessive liability.
- Expert Guidance—Generating CSRs, validating, installing and managing SSL certificates, not to mention compliance, can be confusing, even with free versions. You never know when you’ll need a team of experts to call on for guidance. What if another Heartbleed bug came along? Would you be able to fly solo and know exactly what to do? If you’re like most organizations, the answer is no. Business-validated SSL certificates provide the support and expertise you need, when you need it.
Choosing the right SSL certificate is an important decision that has daily ramifications on your reputation, engagement, conversion and overall online success. On the web, trust and perception are everything, so it’s important to review your options and make an informed choice that fits your budget and business goals.
April 18, 2022
Why You Need SSL Certificates

Secure your online success

SSL certificates perform two major functions—encryption and identity validation. Both are essential to gaining the trust and, ultimately, the business of online visitors.

You’re probably aware that all major browsers now label all unencrypted webpages with “Not Secure” warnings. If you’re doing business online, the impact of this is huge given that, according to the CA Security Council Report, only 2% would proceed past untrusted connection warnings and only 3% would give credit card information without the padlock icon.

Since SSL certificates enable encryption, or HTTPS, every one of your webpages needs one to avoid these negative messages and protect data in transit. But, there are many other advantages of ensuring your webpages have SSL certificates.

Here are eight other important ways SSL certificates benefit you and your visitors:

Improve website performance—In this “I want it now” world, no one’s going to wait for your webpages to load. HTTPS speeds up page loads to deliver a great visitor experience.

Drive more website traffic—Google rewards websites that serve every page via an encrypted HTTPS connected with as much as a 5% boost in search engine rankings. That means more people clicking through to your site.

Reduce shopping cart abandonment—Abandonment rates can soar as high as 75%. Why? One of the top 7 concerns of online shoppers is whether your website is legit. SSL certificates give them the confidence they need to hit “Buy Now’.

Increase conversions—Bizrate reports 69% of online shoppers look for websites that display trust symbols. It’s easy enough to click away to a competitor who proudly shows them off. A Tec-ED survey reported premium EV SSL certificates have been proven to increase conversions.

Leverage the latest innovations—HTTP/2 is the first big revision to the outdated HTTP network protocol. It’s faster and safer, but browsers require a secured connection to unlock these advantages.

Enable must-have mobile features—The most in-demand mobile features, including geo-location, device orientation, full screen, microphone and camera are only enabled over secured HTTPS sessions.

Sharpen your competitive edge—The level of SSL certificate you choose is a differentiator that motivates visitors to do business with you instead of “the other guys” that don’t have a premium SSL certificate. Trust us, your visitors will notice you’ve taken the extra steps to put their security front and center.

Avoid phishing attacks—It might be easy for cybercriminals to squeak by domain validation with a DV certificate and fool unsuspecting visitors with “Secure” in the address bar, but the Extended Validation (EV) process is designed to ensure only the “good guys” are approved.

The Choice is Clear

Beyond meeting the new encryption standard, SSL certificates improve your speed, innovation and conversions—all important factors for online success. At the very core is trust. Remember, you’re in control of how visitors perceive you online. Review your SSL certificate options to find the one that’s right for you and start earning the trust you deserve.

April 16, 2022
How to Satisfy Multiple GDPR Requirements with One Simple Step
We’re a few months into the official launch of the GDPR (General Data Protection Regulation) that went into effect May 25, 2018. If you’re still struggling to get complaint, you’re not alone. In fact, Gartner predicts more than 50% of companies affected by GDPR still won’t be in full compliance by the end of 2018. It’s not surprising since this 99-article regulation is a lot to bite off and most organization simply don’t know all the steps required to comply.

What is the GDPR

GDPR is a broad-reaching regulation designed to protect the private data of Europeans in IT systems. It covers a broad range of topics, from how and when to notify regulators about data breaches to user transparency about what data is being collected and why.

You’re asking the wrong question

Most companies are still asking, “Does the GDPR apply to us?” From a purely technical standpoint, here are a few of the criteria that determine who’s impacted:
- You have customers, employees or contractors who are EU citizens or based in EU countries (and, yes, the United Kingdom counts)
- You do business in Europe, even if your business is located elsewhere
- You have an online presence (including your website) that’s available for Europeans to use
Spending your resources on trying to exclude your company from GDPR isn’t the best use of your time. And, there are other considerations that extend beyond regulations and fines, reaching all the way to your bottom line:
- You deal with business partners that want to be GDPR compliant (and if you aren’t, they won’t want to contaminate their compliant databases with your non-compliant data)
- You don’t focus on doing business in EU, but can’t stop EU citizens from visiting your website and leaving their personally identifiable information behind
- Trust is everything online and, if your website collects or processes user data, even via signup or contact forms, visitors expect you to keep their information secure and protected
A better question is, “How do we get compliant?”, since a majority of the GDPR requirements are best practices that most companies should have been doing all along. If that’s not incentive enough, let’s look at the consequences of not meeting these requirements.

Non-Compliance Can Be Crushing

Suffer a single data breach and you’re looking at a fine of €20 million or up to 4% of your annual turnover, whichever is greater. Just to put this into perspective, this would equate to $7 billion for Amazon, more than two years of profit. Plus, you may face additional fines based on the type of breach, data exposed, notification, remediation and response. And, this doesn’t include irreparable damage to your reputation or costs associated with insurance, legal fees and settlements.

SSL is an Essential Part of GDPR Compliance

Though the GDPR doesn’t contain any specific section on the use of SSL certificates, it includes clear requirements that can only be addressed through digital certificates. Article 32 of the regulation (“Security”) begins this way:

… the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymization and encryption of personal data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Basically, GDPR states that, if your site collects and stores any information from your users, you have a responsibility, as a data controller or data processor, to keep this information secure and protected, including encrypting personal data and ensuring ongoing confidentiality. Verizon’s Data Breach Investigation Report cites lack of encryption and lack of security when handling confidential information among the top most common causes of breaches, so these requirements make perfect sense. And, alarmingly, only 4% of breaches reported were protected by encryption, rendering the data useless to cybercriminals. If you suffered a breach, wouldn’t you at least want to make sure your company and customer data couldn’t be decrypted by evil doers?

SSL certificates have been the de facto encryption and authentication standard for all confidential web communications for more than 30 years. Not having an SSL certificate increases your risk of a data breach. If you have an eCommerce website that takes user payment information such as bank account details, having an SSL is a necessity. But, even if your site is a static HTML page that doesn’t sell anything and has no contact us or signup forms, you still need an SSL certificate to avoid Not Secure browser warnings.

SSL Delivers Other Business Benefits

If you’re still on the fence about investing in an SSL certificate, consider the benefits to your business that go way beyond GDPR compliance.

Faster Website Performance— In this “I want it now” world, no one’s going to wait for your webpages to load. SSL certificates enable HTTP/2 to speed up page loads and deliver a great visitor experience.

Boost Search Engine Traffic— Google rewards websites that serve every page via an encrypted HTTPS connected with as much as a 5% boost in search engine rankings. That means more people clicking through to your site.

Optimize the Mobile Experience—The most in-demand mobile features, including geo-location, device orientation, full-screen, microphone and camera, are only enabled over sessions protected by SSL certificates.

Increase Conversions— According to Comodo’s DevOps June 2018 EV study, 50.2% of respondents are more likely to engage in financial transactions when an EV green address bar is present. And, testing has shown typical increases of around 10% more completed transactions.

Avoid Phishing Attacks—Cybercriminals might squeak by domain validation with a DV Certificate and fool visitors with “Secure” in the address bar, but the more in-depth process for Extended Validation (EV) SSL certificates process help ensure only legit sites are approved.

Check SSL Off Your GDPR Compliance To-do List

Making sure all your website pages use SSL certificates to authenticate and encrypt communications is a smart step toward meeting the GDPR requirements. And, even if you’re not technically impacted by the GDPR, you should be using digital certificates to protect your customers and maximize visitor confidence. Every day you go without SSL, you’re scaring away visitors with Not Secure warnings. Review your SSL options to make sure your website instantly builds trust and satisfies the GDPR’s requirements for encryption and confidentiality.
April 16, 2022