RidgeStar
About
Locations
Manual
Reference
Notices
TLS Certificates
RSU Valuation 2015
TouchLine
Finances
WASRC
Method=SMTP
WA State L&I
RSU for Email
RSU for Records
RSU Changes
SPF+Bulk Email
SPF
To SRSPlus
CloudMark
Pricing Model
To Linux/Apache
Set Priorities
Email
HTML
Internet
Passwords
Processes
Results Lists
RidgeStar
Tools
Service
Logon
RidgeStar

Reference: Notices-TLS Certificates

Logonfindtranslate
Get Started |Calendar |Locations

8 December 2017

Background

In September 2017, after a lengthy period of discussion between all involved parties, the PKI-> Community determined an approach they would adopt to handle what was deemed to be a flaw in oversight related to the issuance of Certificates by Symantec-> (or it's subsidiaries, which includes Thawte->). In response, Symantec then sold it's Website Security and Related PKI Solutions to DigiCert, announcement-> in October 2017.

See TheSSLStore's summary-> for a good summary of the situation. Or, check out Google's Security Blog-> about their specific plans (which affect the Chrome Browser).

The "plan" means that some browsers (including Chrome 66) will start rejecting HTTPS connections to sites that utilize a non-compliant Certificate in early 2018 (Chrome 66 is scheduled for March 2018). This, of course, means that any RidgeStar site currently using a Thawte Certificate to encrypt transmissions will be required to update or change the Certificate prior to March 2018 to continue to operate in HTTPS mode without disruption.

Our Process

Recognizing that we shouldn't wait until Site Visitors have their TLS connections rejected by their Browsers, RidgeStar has spent some time and energy researching how to handle the situation. We could simply re-issue the Certificates via the DigiCert-> process, but since we were going to have to modify every site anyway...we considered other alternatives, also.

TLS requirements for RidgeStar sites are quite simple, at their core. The sites require TLS Connections so that transmissions between the RidgeStar Servers and the Browsers on the Internet are encrypted. This means that the transmissions cannot be visibly intercepted while in transit and, potentially, mis-used. This type of protection is achieved by what are identified as TLS: DV Certificates (for "Transport Layer Security: Domain Validated"). Specifically, a Domain Validated-> Certificate (DV) is defined as:

A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.

In practice, this means that when we obtain a TLS Certificate on a Client's behalf, we have to demonstrate that we have "ownership" of the domain, which is verified through usage of DNS (Domain Name Service). In Thawte's case, they do this by inspecting the DNS entries AND transmitting Email to an "authorized Email address" (in most cases, to domains@ridgestar.com).

LetsEncrypt

While researching alternatives, we encountered a new Open Source Project identified as LetsEncrypt-> operated by the ISRG-> (Internet Security Research Group). Fundamentally, LetsEncrypt is about-> trying to secure more of the Internet via TLS DV Certificates in a very simple and automated way. Of course, it's an obvious benefit that the LetsEncrypt Certificates meet the requirements of the PKI Community.

RidgeStar has experimented with the technical aspects of the LetsEncrypt approach and mechanism and we'll happily admit it was pretty impressive. If you're interested in seeing it in action on a RidgeStar Website as a Browser User, click your way to our demonstration system at Referees.biz->.

Further, when we consider that a LetsEncrypt TLS DV Certificate is available as a FREE certificate/service (which will permit us to reduce RSU charges for SSL), it has become our alternative of choice for migration away from the Symantec/Thawte based Certificates and to a Certificate that meets the emerging standard.

It is our current plan to begin migration of RidgeStar Client sites with TLS support active (Feature=SSL or anyone with HTTPS service available) in December 2017. This will be a gradual migration which is expected to take a month or two, but should be fully operational by February 2018 (well before the stated deadline of March 2018).

What does the Webmaster have to do?

Basically, just be aware of the change.

If all goes well, there should be no change in functionality or performance of your site and the shift from a Thawte TLS Certificate to a LetsEncrypt TLS Certificate should be completely transparent.

However, LetsEncrypt (as a CA) is relatively new and it is possible that "older" browsers may not recognize the CA properly. If this occurs and one of your Visitors contacts you about a TLS Failure, etc, please let us know right away (via a Ticket or Email to your Account Representative).