A Small Orange Now Supports Forward Secrecy

eyecon-black-200A Small Orange is committed to keeping our customers’ information safe and secure, so we’re quite pleased to share that we now support Forward Secrecy across our Secure Socket Layer (SSL) offerings for shared and business shared products. We have also updated our provisioning templates to ensure our Cloud and Dedicated server customers receive Forward Secrecy support.

If you signed up for a Cloud or Dedicated server in the last 3 months, chances are you have forward secrecy support and can begin to utilize it simply by installing an SSL certificate. For customers on all other product lines, we have you covered and Forward Secrecy support is something we manage for you.

Why is Forward Secrecy Important?

To understand why Forward Secrecy is important, we first need to understand how the current HTTPS (SSL/TLS) implementation puts you at risk. Bear with us for a moment for a quick primer on secure web communication.

When you initiate a connection to a secure HTTPS (SSL/TLS) web site, your web browser is conducting a complex set of exchanges with the web site to establish the secure connection. This exchange happens transparently and very fast, in hundredths of a second, but is very important in determining the degree to which your privacy is protected.

All web sites that are powered by HTTPS (SSL/TLS) utilize a secret key that only the web server knows and uses to encrypt all subsequent communication. From this “secret key” is generated a “session key” that is communicated between the web site and your web browser to allow your browser to understand the otherwise encrypted and indecipherable communication from the web sites secure HTTPS address.

In a perfect world, this post would end around here, you’ve established a secure connection to a web site (such as https://blog.asmallorange.com) and your privacy is protected. However, rarely are things that simple.

There exists a long known flaw to the current implementation of HTTPS (SSL/TLS) communications on the Internet today. If the web site you are communicating with ever has their “secret key” disclosed, compromised or otherwise becomes available to attackers or organizations conducting Internet surveillance (insert 3 letter acronyms here), all the recorded communications you have ever conducted with said web sites can be decrypted and read in plain human readable text. This scenario is not hypothetical and exists in the real world today. There are more than just a handful of instances of web site secret key disclosures (both compromised and legally compelled disclosures) along with cryptographic flaws which put our privacy at risk online.

How does Forward Secrecy protects me?

The use of forward secrecy, is a protocol feature within modern HTTPS (SSL/TLS) implementations that exist today. It is not new and has been around for a little while, however it gained significant prominence recently due to 2013′s Global Surveillance disclosures.

When you communicate with HTTPS (SSL/TLS) web sites that support Forward Secrecy, they protect your communication by constantly changing the secret keys used to encrypt data between the web site and your web browser. This constant ratcheting of the keys with Forward Secrecy web sites ensures that if the secret key on the web site you are communicating with is ever compromised or disclosed, that it can not be used to decipher previously recorded information you may have had with the web site, ensuring your privacy is maintained.

How can I verify my website or web host supports Forward Secrecy?

ssllabs_gradeThere is currently an excellent service offered by Qualys that provides an SSL grading system and scanning tool for websites available at SSL Labs.com. This scanning service requires no signup, costs nothing and takes only a minute to run on any HTTPS (SSL/TLS) enabled web site.

The straight forward grading system makes it clear to separate secure from insecure web sites. With anything graded an A rating (A-, A, A+) generally being considered secure, sites with a B rating considered secure but not optimally configured and sites rated C, D, E or F falling into the insecure category or those with glaring configuration issues.

A recent change by Qualys to the SSL grading system now preferences sites with Forward Secrecy support as a pre-requisite for an A or A+ rating, any site that does not support Forward Secrecy is automatically capped at an A- rating. As such, if your web host or sites you communicate with regularly do not rate an A or A+ grade, then they are not using Forward Secrecy.

You can further verify that Forward Secrecy is provided by scrolling to the bottom of SSLLabs server test reports and checking to ensure “Robust” Forward Secrecy support is provided by the web server.

ssllabs_fs

We challenge you to test your web host, if they are putting your privacy first by supporting Forward Secrecy and if they are making the grade. You should accept nothing less than an A in our opinion.

Find out more about Forward Secrecy and Internet Surveillance

We take pride at A Small Orange in being one of the, if not, the first web host to offer robust Forward Secrecy support to our customers and also take part in grass roots initiatives such as “The Day We Fight Back” campaign to end mass surveillance along with our past position on SOPA/PIPA.

There have been a number of high profile web sites that have recently implemented Forward Secrecy support, such as Twitter and Github along with the planned implementation by Yahoo Mail and Microsoft Live/Outlook.com. This is in addition to an array of web sites, such as Google services (e.g: gmail, docs etc..)  and many others that offer “some” support for Forward Secrecy. The “some” part is relative to if you are using a modern web browser (read: up to date) then you can leverage Forward Secrecy with their services.

You can find some additional reading on Forward Secrecy at the following web sites:

https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection
http://en.wikipedia.org/wiki/Forward_secrecy
http://www.forwardsecrecy.com
http://techcrunch.com/2013/11/22/twitter-enables-perfect-forward-secrecy-across-sites-to-protect-user-data-against-future-decryption

Along with these web sites that are committed to Internet privacy and stopping Internet surveillance:

https://www.eff.org
https://thedaywefightback.org
https://optin.stopwatching.us
https://www.youtube.com/watch?v=aGmiw_rrNxk

2 Comments

February 11th: The Day We Fight Back

tdwfb-img

ASO Customers:

Tomorrow, A Small Orange will proudly join a broad coalition of activist groups, companies, and online platforms in “The Day We Fight Back”, worldwide day of activism in opposition to the NSA’s mass spying regime. We’ll be joining thousands of other sites in posting a banner at the footer of our site urging people to call and/or email Congress, to ask legislators to oppose the FISA Improvements Act, support the USA Freedom Act, and enact protections for non-Americans.

This event is being held in honor of the late activist/technologist Aaron Swartz,
and in celebration of the victory over the Stop Online Piracy Act in 2012- a proposed bill that Aaron helped to prevent from passing.

Read the whole press release here.

Here’s how you can help:

1. Visit TheDayWeFightBack.org
2. Sign up to indicate that you’ll participate and receive updates.
3. Sign up to install widgets on websites encouraging its visitors to fight back against surveillance. (These are being finalized in coming days.)
4. Use the social media tools on the site to announce your participation.
5. Develop memes, tools, websites, and do whatever else you can to participate — and encourage others to do the same.

Check out this video with more details on this event:

Leave a comment

A Small Orange’s first National Security Process Transparency Report

As part of our homegrown approach to web hosting, it is important that we are honest and transparent with our customers whenever possible.

That’s why we were pleased to see that last week the Attorney General and the Director of National Intelligence issued a joint statement announcing new and more flexible reporting methods for national security orders, including National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders. Under one of the two disclosure options provided by the U.S. government, companies can now disclose the total number of all national security process received, including all NSLs and FISA orders, as a single number, starting with 0-249, and thereafter in bands of 250.

We believe that the press coverage of, and attention paid towards, national security orders is disproportionate to the actual number of orders issued. For example, according to data published by the companies, Google has received fewer than 1,000 NSLs, as has Facebook, Microsoft, and Yahoo.

The above data from some of the largest tech companies in the world suggest to us and others in the technical community that the number of NSLs and FISA orders received by a typical internet company is likely not very high.

Today, A Small Orange is publishing its first Transparency Report on national security process received, including NSLs and FISA orders:

  • National Security Process Received: 0 – 249
  • Total Accounts Affected: 0 – 249

At A Small Orange, we still believe we should be able to disclose the exact number and type of national security orders we receive. It’s a question current and potential customers have asked us a number of times, and it bothers us to not to be able to answer it.

After the DOJ announcement, the Internet Infrastructure Coalition, of which A Small Orange is a founding member, issued a statement reiterating the need for companies to be more transparent with their customers than even the new guidelines allow.

We will be following the developments in this area closely.

4 Comments

A Small Orange Community Newsletter January ’14

Welcome back to the A Small Orange Community Newsletter.
Hope your 2014 is off to a great start.

A Small Orange Homegrown HostingHosting Sale!
It’s the last day to save on all hosting plans.
Get 15 % off your first month on any ASO hosting package.
Just use the code SWITCH15 when buying.

Take a look at all of our plans right here.


business_1
The ASO Knowledge Base 

If you’re a new customer, or want to deepen your existing knowledge of hosting, you’ll want to explore our ever-expanding Knowledge Base. You’ll find helpful tutorials on getting started, billing, security, and a lot more.

Take a look here.

Partner Offer

main-logo

Exit Intel helps companies convert leads and sales with a unique tool. They can help you provide incentives to your website users (like signing up for your newsletter or displaying a unique offer) if customers navigate away from your site.

Interested in trying it out? A Small Orange customers get 20% off all Exit Intel service plans. Use the code ASO when buying.

Find out more here.

icon_planicon-dedicatedASO Service Directory

If you’re looking for the right folks to help you with your next hosting-related project, take a look at our Service Directory.Get ASO-approved assistance with design, development, and more. Check it out here.

Thanks for reading. See you next month!

The ASO Team

 

 

Leave a comment

Ghost 0.4 Support & One-Click Upgrade

ghost_logo_big-300x200We are pleased to announce the immediate availability of Ghost 0.4 support on our shared and business cloud shared servers. The new release of Ghost marks the first minor release update to the popular Ghost blogging platform and includes some 150 bug fixes and a handful of important feature additions. For more details on the Ghost 0.4 release please see the Ghost.org official blog post and the release notes.

The A Small Orange One-Click Ghost installer available to customers in their account cPanel interface has been updated to support the latest Ghost 0.4 package, allowing for One-Click installations of the latest version of Ghost.ghost_installer

We have also provided a convenient upgrade feature that is now available to customers that previously utilized the One-Click installer for version 0.3 allowing customers to automagically upgrade to Ghost version 0.4.softac_upgrade

If your Ghost 0.3 installation was performed manually over SSH, you will need to upgrade to Ghost 0.4 manually. We have however put together instructions to walk you through this process which are available here.

To learn more about NodeJS support at A Small Orange, please find our implementation guide for other NodeJS applications here.

As always, questions or comments, we can be reached 24/7 through any of our support channels. Thank you.

2 Comments