Category: Cybersecurity

SSL/TLS certificate duration reduced to 45 days by 2027:Apple takes the first step

On October 9, Apple revealed to the CA/Browser Forum that it had posted a draft ballot for comment on GitHub regarding two important SSL/TLS certificate lifetime events:

  • Gradually reduce the maximum duration of public SSL/TLS certificates to 45 days by 2027;
     
  • Gradually reduce the reuse period for DCV challenges to 10 days by 2027.

In March 2023, in its “Moving Forward, Together” roadmap, Google announced its intention to offer the CA/B Forum a reduction on the maximum possible validity period for public TLS certificates going  from 398 days to 90 days. Since this announcement, the market has been feverishly awaiting for Google’s confirmation but most of all, for the implementation’s timetable… without success. For its part, Mozilla announced, a few weeks ago, its intention to follow Google’s lead on its Firefox browser, without adding any further detail.

Apple ultimately took the first step last week, announcing on October 9th its intention to both reduce the lifetime of certificates to 45 days (when the entire market was expecting 90 days) and to limit the duration of the DCV challenge to 10 days, according to the schedule below. A true bombshell:

Sep-15-2025 => certificates and DCV validation times reduced to 200 days

Sep-15-2026 => certificates and DCV validation times reduced to 100 days

Apr-15-2027 => certificates and DCV validation times reduced to 45 days

Sep-15-2027 => DCV Validation time: 10 days

Information on the background and analysis of this announcement, the expected outcomes and how to prepare for them will undoubtedly be useful:

Context and Analysis:

At this stage, the publication is likely to be commented by market players prior to the formal drafting of the ballot within the CA/B Forum, which itself will be voted on by its members: the Internet browser publishers on the one hand (Google, Mozilla, Apple and Microsoft…) and the Certification Authorities on the other. Amendments are bound to be made, but the general idea remains and the machine is up and running.

Indeed, software publishers are all aligned on the need to reduce the lifetime of certificates, and among Certification Authorities, Sectigo, one of the major players in the certificate industry, is already supporting the initiative. It is likely that things will move rapidly from now on, with few comments and a ballot drafted in the coming weeks or months. We will then know more about the confirmation of the durations and timetable, and will of course make sure to keep you informed.

Expected Outcomes:

  • Certificate lifetime: whether 90 days, 45 days or even less, this reduction is no longer a surprise, and will have a major impact on public certificate portfolio. The certificates can no longer be managed manually. The market has begun its transition to automation, notably through CLMs (Certificate Lifecycle Managers). The issue at stake for companies and organizations will be to rely on partners who can offer as many interconnections as possible between Organizations, Certification Authorities and CLMs.
     
  • DCV challenge duration: Reducing the duration of the DCV challenge to 10 days, if validated, would have a considerable impact, perhaps even more so than reducing the lifetime of certificates. Up until now, the industry has pre-validated domain names for 398 days, using the DCV challenge only once. Apple’s announcement would thus force the use of a DCV challenge for virtually all orders, which would be a major paradigm shift and would involve interconnections with an additional brick in the ecosystem: the DNS. The DCV (Domain Control Validation) challenge involves intervening in the zone of the domain name(s) listed in the certificate, ideally instantaneously, to validate it.
     
  • Organization authentication duration: Apple has not announced anything on the subject of the validity period of organization authentication for OV certificates, which is currently 825 days. However, rumors are circulating that this may be reduced to 398 days or even 365 days.

How to be ready:

The key to successful certificates management lies in automation. A 45 days certificate lifetime represents 9 interventions per year per certificate. Manual management thus becomes utopian. We therefore need to rely on:

  1. Certificate Provider/Certification Authority (CA): a trusted partner who will support through your organizational and domain authentication issues. Service level is key to good management. A multi-CA partner is thus recommended to limit dependence on a single CA, as in the case of Entrust’s recent setbacks. 
     
  2. Registrar / Primary DNS: mastering the primary DNS of domain names listed in certificates will become the key to delivery. Each time a certificate is issued, a TXT or CNAME will be installed on the zone(s) in question. An interconnection between the CA and the DNS is vital.
     
  3. CLM editor: the CLM’s role is to inventory the certificate portfolio, to define certificate portfolio management rules and automate the entire process of orders, from the generation of CSRs to the deployment of certificates on servers. To function properly, the CLM relies on connectors with CAs or certificate suppliers.

Getting ready thus means identifying the most suitable solution, based on these three dimensions, and undertaking this analysis to understand the impacts in terms of process, technology, and budget – in an ideal world – before the end of the first half of 2025.

Nameshield’s approach:

Nameshield holds a unique position in the market as a registrar and supplier of multi-AC certificates. For over 10 years, we have been managing the day-to-day issues associated with authenticating organizations and domains using certificates. On the one hand, we have a privileged relationship with the biggest CAs on the market (Digicert, Sectigo, GlobalSign), and on the other, we master the DNS brick for DCV validation. As a result, we can issue public certificates almost instantaneously. Last but not least, Nameshield has connectors with the major players in the CLM market, allowing you to ensure a comprehensive connection between the various components involved in certificate management. This way, we can support you in anticipating all the issues mentioned above.

SSL/TLS certificate duration reduced to 45 days by 2027:Apple takes the first step

For more information, please contact our Sales team or our Certificates team.

Crédit image : Nameshield with storyset.com

User trust at the heart of the latest CSA Summit in Cologne

From 22 to 24 April, Cologne hosted the Certified Senders Alliance Summit on the theme of “Trust fuels the future”. The event marked the 20th anniversary of the initiative.

Corporate communications have changed dramatically over the last 20 years with the rise of social networks. For example, Instagram now has more than 2 billion monthly users, YouTube more than 2.5 billion and Facebook more than 3 billion. These platforms were all launched between 2004 and 2010. While they have become an integral part of companies’ communications plans for addressing their users, the use of email is still very high, as there are still so many uses for email: sending email campaigns, newsletters, invoices or for example order confirmations. According to Statista, the overall volume of emails increased by 4.3% in 2023 compared with the previous year, with almost 347.3 billion emails sent worldwide every day. Another fact: on average, a person receives around 121 emails a day. These figures underline that email is not about to disappear.

Gartner nevertheless points out that concerns about email security are growing, with few companies escaping security incidents, with increasingly sophisticated phishing attacks using malicious links or attachments, for example, and data losses often linked to careless behaviour or human error. With this in mind, every year CSA brings together experts from the email ecosystem to discuss best practices and solutions for improving email quality and trust. The event is organised around a series of workshops, sessions, conferences and masterclasses.

Nameshield, which sponsored the event, pointed out that there can be no email security without secure domain names, which are critical business assets, and without a robust, high-performance DNS infrastructure. Email security therefore depends on the choice of your domain name provider and the cyber-security solutions it is able to offer its customers. These include the DMARC protocol, which protects users against fraudulent messages. Customised brand extensions also known as dot brands are another way of building brand confidence in the run-up to the next round of new generic extensions scheduled for April 2026.

Contact your Nameshield consultant for more information on all our solutions.

Nameshield at the CSA Summit in Cologne – From April 22 to 24, 2024

Celebrate the 20th anniversary with us and be part of the discussion about the future of commercial emails.

For 20 years, the CSA (Certified Senders Alliance) has been committed to strengthening trust in email as a communication channel. Building bridges between email senders and email providers has been the central goal of the CSA from the very beginning – this year’s anniversary summit will examine the success factors of the future under the motto ‘Trust Fuels the Future’.

Nameshield is a Gold Sponsor of the event – our team would be delighted to meet you there. Gain market-leading expertise with CSA’s insights and evolving best practices. We are particularly looking forward to the discussion around the implementation of DMARC, which is becoming a new standard.

Join an international network of brands, agencies, email service providers and mailbox vendors for a dynamic exchange of information in the well-connected email ecosystem! The CSA Email Summit is not just an event, it’s your path to realising your full potential in the ever-evolving landscape of commercial email.

The CSA Email Summit is supported by various industry associations and provides a solid platform for conversations that offer valuable insights into the future of email marketing. Learn from industry experts in workshops, sessions, short talks and masterclasses to enhance your expertise.

Please contact the Nameshield team for more information and to make an appointment at the Summit!

DNSSEC: Nameshield adopts ECDSA

DNSSEC is the protocol that guarantees the integrity of DNS resolution by establishing a chain of trust all the way back to the root. Data security is ensured by a mechanism of cryptographic keys that sign DNS zone records. Historically, DNS operators have used RSA keys (RSASHA256 algorithm), renowned for their robustness.

As an alternative to this asymmetric cryptographic algorithm, there are elliptic curve algorithms. In the case of DNSSEC, the “ECDSA Curve P-256 with SHA-256” algorithm (RFC 6605 and 8624) offers a higher level of security with smaller key sizes.

The ECDSA algorithm is increasingly being implemented by major players in the domain names industry, such as Verisign and AFNIC, and aims to become the standard.

This has several advantages over our current implementation:

  • Smaller signatures and smaller zone files (approx. -33%);
  • Faster zone transfer and reload;
  • Improved signing performance;
  • Potentially faster DNS requests (less reliance on IP fragmentation);
  • Reduced amplification factor of DDoS attacks based on DNS.

For all these reasons, Nameshield has chosen to use this algorithm by default to secure its own domain names and those of its customers.

Image credit : Nameshield with storyset.com

Phishing, slamming and other fraudulent e-mails: Stay alert during the end-of-year holidays!

Phishing, slamming and other fraudulent e-mails: Stay alert during the end-of-year holidays!

The end-of-year holidays often announce the upsurge of fraudulent mass e-mails campaigns. Indeed, cybercriminals take advantage of this period, when vigilance can be particularly low, to launch phishing e-mails.

What are phishing and slamming?

Phishing is used by cybercriminals to obtain personal information in order to commit an identity theft.

In the world of phishing, slamming is a well-known variant that consists in encouraging domain names holders to renew their annuity with another registrar, by arguing the emergency and criticality of the concerned name’s loss. Concretely, this is an e-mail pushing its recipient to contract an unsolicited service and to proceed to the payment of this latter without delay.

Thus, the slamming may take the form of a fraudulent renewal invoice, usually associated with intimidating terms like “Expiration notice”. Under the pressure of such e-mail, generally well built, it happens that the recipient then proceeds to the payment and finds himself debited with an important amount for the so-called renewal.

In the same way, the slamming e-mail may also indicate that a “customer” of the sender, posing as a fake registrar, intends to register domain names identical or similar to your brand. Then the fraudster proposes to register them for you in order to protect you from these troublesome registrations, of course, in exchange for an urgent payment.

Another kind of attack, the suspicious e-mail attachment!

Be careful of fraudulent e-mails with infectious attachments: a single entry point is enough to destroy a network!

The aim of a trap and thus malicious attachment is to pose as a legitimate file (PDF, Word document, JPG image…), while hosting and hiding a malicious code: this is what we generally call Trojans.

Some simple rules to protect against them

  • Always stay alert when someone asks you your personal data;
  • Do not ever open an attachment from an unknown sender, or from one who is not entirely trustworthy;
  • Check the links by hovering the cursor over them (without clicking) to ensure that they link to trustworthy websites;
  • Never reply under the pressure of this kind of solicitation and of course do not proceed to any payment;
  • If there is any doubt, do not reply to the e-mail and contact the sender through another method who will confirm whether it really is a fraud attempt or not.

To remind you of this more often, you can find a wallpaper to download on the Nameshield website:

Download the wallpaper

Image credits : Nameshield with storyset.com

New e-mails authentication requirements from Google and Yahoo

New e-mails authentication requirements from Google and Yahoo - DMARC

Google and Yahoo recently announced significant changes to their e-mails authentication requirements. The aim of these adjustments is to strengthen the security of online communications, a major issue in the current context of cybercrime.

The two giants are emphasizing the adoption of advanced authentication protocols, in particular DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC relies on the existing SPF and DKIM standards, providing a robust method for verifying e-mails’ authenticity and reducing the risk of identity theft and phishing.

To implement these new requirements, Google and Yahoo will adjust their algorithms to give priority to e-mails from domains that have correctly implemented DMARC. The aim of this measure is to improve the deliverability of authenticated e-mails, reinforcing users’ trust in the security of their e-mail inboxes.

The new guidelines will apply from February 1, 2024 to all senders who send more than 5,000 emails per day. They underline Google and Yahoo’s commitment to fight against online threats, in particular phishing, a common method used by cybercriminals to deceive users and gain access to their sensitive information. By adopting stricter e-mails authentication requirements, these companies are strengthening users’ protection against malicious attacks.

It is now essential for domains holders and players in the digital world to comply with these new guidelines, in order to contribute to the creation of a safer and more secure Internet for all.

Nameshield’s experts are at your disposal to assist you in deploying this protocol.

Meet Nameshield on the it-sa from 10th to 12th October 2023 in Nuremberg, Germany

Meet Nameshield from 10th to 12th October in Nuremberg at a new edition of the it-sa, the absolutely must-attend meeting of the IT security sector!

As the “Home of IT Security“, it-sa stands for both a comprehensive range of information and networking and knowledge exchange on the topics of data protection and IT security.

The three-day programme includes talks, workshops, discussion panels, one-to-one meetings and opportunities for networking…

Meet us on site: Hall 7, Stand 7-214, in cooperation with eco, the Association of the Internet Industry.

Exchange with our team and discover our global solutions that satisfy the requirements of your DNS security. Discover our product for a high-availability of your strategic domains: “DNS Bastion“.

For more information, visit the event website: https://www.itsa365.de/

Nameshield’s DNS Premium labelled France Cybersecurity

The digital transformation of companies creates an increasing dependence on networks.

Websites, emails, VPN, applications… these company key services must remain accessible. An interruption would be dramatic.

DNS is the access point to all these services. It translates domain names into IP addresses and routes traffic to these services. It is increasingly exposed to attacks, yet remains poorly secured due to a lack of knowledge. With the increase in threats, maintaining its DNS infrastructure is becoming more and more complex.

Securing strategic domain names by hosting them on highly secure DNS offering permanent availability, to avoid any interruption to company key services, has become a necessity.

Nameshield, certified ISO 27001 on all its registrar activities, protects companies’ critical digital services against cyber threats, and proposes a DNS Premium solution that ensures high availability of online services.

Nameshield’s DNS Premium has been labelled France Cybersecurity since 2018. This label is a guarantee for users that Nameshield’s products and services present a level of quality in cybersecurity verified by an independent jury.

Cybersecurity is at the heart of Nameshield’s DNA, through its CERT and ISO 27001 certification. In a sector dominated by American players, this label is the perfect way to highlight our sovereign solutions such as DNS Premium“, Christophe Gérard, Nameshield’s Products Director.

Find out more about our DNS Premium solution

Phishing, slamming and other fraudulent e-mails: stay alert during the summer holidays!

Phishing, slamming and other fraudulent e-mails: stay alert during the summer holidays!

Every year, the summer holidays announce the upsurge of fraudulent e-mails mass campaigns. Indeed, cybercriminals try to profit from these periods when the vigilance is sometimes lowering, to launch phishing e-mails.

What are phishing and slamming?

Phishing is used by cybercriminals to obtain personal information in order to commit an identity theft.

In the world of phishing, slamming is a well-known variant that consists in encouraging domain names owners to renew their annuity with another registrar, by arguing the emergency and criticality of the concerned name’s loss. Concretely, this is an e-mail pushing its recipient to contract an unsolicited service and to proceed to the payment of this latter without delay.

Thus, the slamming can take the form of a fraudulent renewal bill, generally associated with intimidating terms like “Expiration notice”. Under the pressure of such e-mail, in general well built, it happens that the recipient then proceeds to the payment and is debited of an important amount for the so-called renewal.

In the same way, the slamming e-mail indicates that a “customer” of the sender posing as a fake registrar, wants to register domain names identical or similar to your brand. Then the fraudster proposes to register them for you in order to protect you from these troublesome registrations, of course, in exchange for an urgent payment.

Another kind of attack, the suspicious e-mail attachment!

Be careful of fraudulent e-mails with infectious attachments: a single entry point is enough to destroy a network!

The aim of a trap and thus malicious attachment is to pose as a legitimate file (PDF, Word document, JPG image…), while hosting and hiding a malicious code: this is what we generally call Trojans.

Some simple rules to protect against them

  • Always stay alert when someone asks you your personal data;
  • Do not ever open an attachment from an unknown sender, or from one who is not entirely trustworthy;
  • Check the links by hovering the cursor over them (without clicking) to ensure that they link to trustworthy websites;
  • Never reply under the pressure of this kind of solicitation and of course do not proceed to any payment;
  • If there is any doubt, do not reply to the e-mail and contact the sender through another method who will confirm whether it really is a fraud attempt or not.

Find on the Nameshield’s website a wallpaper to download to help you think about it more often.

Download the wallpaper

Nameshield is exhibitor at the Rethink! IT Security on 22-24 March 2023 in Berlin!

Phishing attacks are becoming more and more frequent and aggressive – learn from us how you can prevent your company’s email addresses from becoming the starting point of such attacks.

On 22.03. at the ICEBREAKER we will discuss the following topic: Domain names and DMARC – Current trends and challenges in IT security.

The Rethink! IT Security is the leading IT security summit for CISOs and IT security decision makers from the German-speaking region.

Learn about current challenges, technologies, trends and best practices in the field of IT and cybersecurity!

https://www.rethink-it-security.de/

As our customer we have a limited number of free tickets. Please contact us at salesgermany@nameshield.net.

We look forward to welcoming you at our stand and have prepared a little surprise for you there to help calm your nerves in case of an incident.