Friday, 29 May 2015

Upgrading the secure server.

I've been getting a B when I test my secure server using the Qualys test. B is good enough, but obviously I want an "A". It was complaining that my chain of certification was incomplete. Time to crack open a can of Google.

So, after much googling and considerable thought, I decided that the problem was, that in my apache configuration, I hadn't given it the SSLCertificateChainFile. So I did that.

It diidn't work, I still got a B.

I then spent about an hour fiddling with it, until I finally realised that I was changing the Apache configuration for an old version of Apache, not for the version I was actually running. As soon as I changed the configuration in the real configuration file, it worked. I now rate an "A". Hurrah!

But Qualsys was still showing a concern - the signature algorithm I was using was SHA1 with RSA, which it thinks is weak, although not alarmingly so. Still, it recommends an upgrade, so let's do that. I want SHA2. In a couple of years, this will be a requirement, so I might as well do it now.

I needed a new certificate from Comodo, so I contacted them. I made a CSR (Certificate Signing Request) and uploaded it to their site. I got back an email, "Domain Control Validation".

What followed was an elaborate dance. They wanted to phone me for verification, and needed to look up the phone number in a directory. But I don't give the number to directories. So they talked me through signing up for a directory, I did that, and several minutes later, I got a confirming email from the directory, so now that's fine. Then Comodo looked up the number in the directory, and I got an automated phone call giving me a PIN number, which I put into their web site. This, apparently, proves that I am who I say I am.

Actually, it does nothing of the sort. Before you read on, see if you can spot the flaw in their system.



As you will have realised, I could create a throwaway email address, and get a throwaway mobile phone. Then I sign up for the directory giving that phone number and email address, and confirm when I get their email. Then Comodo will accept the fact that the phone number works, and the email address works, as some kind of "proof" of my identity.

It's nonsense. It's security theatre. You do something complicated and mysterious and say "security". Bringing in a phone directory that lets anyone sign up with any details, doesn't make it more secure, just more complicated. Actually, all that Comodo have really done, is confirm that there's a person at the other end of the email address I've given them. And they could have done that by sending an email with a pin code, without all the kerfuffle.

I wonder if they realise what a nonsense this is? My guess is, they don't, they really truly believe that all this complicated procedure has actually made the signup more secure.

What they think that all this has done, is "verify my identity". Which, of course, it has not.

So the next thing I got from Comodo, is  "Your TrustLogo is ready". This lets me put their logo on my web sites. OK, I can see the benefit to them, it's free advertising. But there's no benefit to me, and I haven't yet got the SHA2 cert that I asked them for.

The new certs soon arrived, and I installed them. I had a problem when the key didn't match the cert, but I soon worked out with the help of the chat operator, that the problem was caused by me using the wrong key. With the right key in place, I now have an "A" pass mark from Qualys, and it isn't warning me about a weak SHA1 algorithm.

By comparison, I tested They got a grade B. Heh heh heh. got B, got B and got C.For Natwest, it says "No support for TLS 1.2, which is the only secure protocol version."


  1. Beware that modern browsers and platforms support SHA-2. However, older versions of browsers and operating systems may have compatibility issues.

  2. which is why the other well known names have not yet upgraded....

  3. It's a fork. On the one hand, we have the PCI DSS saying that we must be compliant and pass their pen tests; on the other hand, there's older browsers that can't cope with the more modern protocols.

    Maybe the big boys can give the PCI DSS the finger; the rest of us either hope that the PCI DSS don't care about us not being compliant, or else we get compliant at the cost of losing some customers.