SSL Frequently Asked Questions (FAQ)

What you need to know about SSL

Q: What is SSL?

A: Secure Sockets Layer (SSL) is a protocol for enabling data encryption on the Internet and for helping web site users confirm the owner of the web site. SSL is most commonly used to protect communications between web browsers and servers. However, it is increasingly used for server to server communications and for web-based applications.

Q: How long does enrolment take?

A: An SSL certificate may be issued within minutes of submitting your enrolment information as long as the information is correct and the authorised administrator responds promptly to the confirmation email. RapidSSL® Certificates and RapidSSL® Wildcard both use an authentication process to verify domain control validation.

Q: What is domain control validation?

A: RapidSSL will confirm domain control by sending an email to the administrator listed with the registrar for the domain. If the authorised administrator does not reply, a second email will be sent to an email address at the domain such as info@ or support@. We do this for you.

Q: What is encryption and why are there different levels?

A: Encryption is a mathematical process of coding and decoding information. The number of bits (40-bit, 56-bit, 128-bit, 256-bit) tells you the size of the key. Like a longer password, a larger key has more possible combinations.

When an encrypted session is established, the encryption level is determined by the capability of the web browser, SSL certificate, web server, and client computer operating system.

Q: How do web site visitors know if a web site is using SSL?

A: When a browser connects to a secure site it retrieves the site’s SSL certificate and checks that it has not expired, that it has been issued by a Certificate Authority the browser trusts and that it is being used by the web site for which it has been issued.

If it fails on any one of these checks the browser will display a warning to the end user. If it succeeds, several security indicators are built into modern browsers to indicate that SSL is enabled.

  • The beginning of the URL or web address changes from http:// to https://
  • A padlock on the browser window changes from open to closed
  • The address bar will turn green and display the name of the web site owner when connecting to a web site protected by an Extended Validation SSL certificate.

In addition, a trust mark such as the RapidSSL site seal may be added to web pages on a secure site.

Q: What does browser recognition mean?

A: When a browser or operating system encounters an SSL certificate, it checks to make sure that the certificate is valid and trusted. An SSL certificate is trusted if it is signed by a “trusted” or pre-installed root certificate. If a browser that does not contain the root CA certificate used to issue the SSL certificate, a security warning will alert them.

Q: What is a certificate signing request or CSR?

A: A CSR is a public key that you generate on your server according to your server software instructions. (If you do not have access to your server, your web host or Internet service provider will generate it for you.) The CSR is required during the SSL certificate enrolment process because it validates the specific information about your web server and your organisation.

Q: What is a public/private key pair?

A: SSL uses unique cryptographic key pairs: each key pair consists of a secret private key and a related public key. Information encrypted with a public key can only be decrypted with the corresponding private key, and vice-versa.

Q: How do I obtain the RapidSSL Site Seal?

You must obtain the site seal directly from RapidSSL and follow the instructions given. Claim your RapidSSL Site Seal.

Categories SSL

How to: Transfer your Web Site to UKC

transfer-iconTransferring your Web Site to UKC without Downtime

Moving your site from an old host to a new host might sound complicated but it is actually very easy.

Our technicians are moving all types of sites (self built, WordPress, Joomla, shopping carts) on a daily basis. Leave the complexity to us.

We will help you transfer your web site, data and mysql databases to our hosting service and minimise (if not eliminate) the need for any downtime whatsoever.

Here are the steps to follow:

  1. Order your new hosting plan from UKC. Do not cancel your old hosting plan (yet).
  2. Is your old host using Plesk? If so, all you need do is run a full backup in Plesk Backup Manager and provide us with the backup file. We can restore from here.
  3. You will now have access to two hosting accounts.

What we need from you

In order for us to successfully transfer your website, we need the following:

  1. A backup of your hosting account run from your old host (if you have one)
  2. The panel login details of your old hosting plan
  3. The FTP details of your old hosting plan
  4. If you have SSH with the old host, then these details can also help

From here we can take care of the transfer of all of your site data and databases.

Going live without downtime

We will transfer all of your web site, data and mysql databases before the “going live” date which we will agree with you beforehand.

Once we go live, the switch will simply be a name server change on your domain name. At this point, your web site will now be live using a UKC hosting plan. Once you are happy with the operations of your new site you can then proceed to cancel your old hosting plan.

If you have any questions now (or along the way) simply contact the Helpdesk who are there to help.

Emails sent to me are being returned as SPAM. Can I stop this?

emailEmail blocking problems

Occasionally, someone who has sent you an email may receive a message saying that a mail they sent you hasn’t been delivered. The email they sent has been blocked, and the full message is:

senderdomain.com 12.34.56.78 is listed at bl.spamcop.net. Contact tech support enclosing a copy of this error message on email address.

The message will contain a full email address in place of email address. There may also be another address in place of bl.spamcop.net.

Only the sender will receive the message. You will not receive notification that an email to you has been blocked and you will be able to send and receive other messages as normal.

The message is part of our effort to block spam sent to email addresses hosted at UKC.

We check the IP address of the server each email has been sent from against several lists of addresses, one of which is maintained by bl.spamcop.net. If the IP address is on any of these lists then we block the email.

Although this stops lots of spam getting through, it does mean legitimate messages occasionally get blocked too. If this is happening to someone trying to send you email, it’s easy for them to stop it occurring in the future.

How to fix it

The person who sent you the email should forward the message they received to the address shown in it. We’ll put the relevant IP address onto our list of allowed addresses, so future mails from that person come through to your inbox.

If the message mentions spamcop.net, they can also enter the IP address in the message (e.g. 12.34.56.78) into the Lookup IP box at Spamcop.net. This will remove the IP address from their list and should ensure that other email providers using the list stop blocking messages from that person.

Protect against WordPress Pingback Vulnerability

How to Neutralise a Pingback DDOS Attack

sshThe WordPress Pingback Vulnerability is used to maliciously attack your WordPress site via the Pingback service.

If the attack is heavy enough then not only will your site be seriously slowed if not inaccessible) but your server will also be overloaded with requests thus risking your shared hosting account altogether.

This type of attack is usually instigated via a botnet of many hundreds (if not thousands) of different IP addresses so a simply blocking the IP address of the attacker is not practical.

If you are under attack right now then there are actions you can take to minimise (if not nullify) the effect of attack.

Disable the WordPress XMLRPC Service

We can do this by adding a “deny” to “xmlrpc.php” in your .htaccess file. This will disable the your WordPress site from participating with the pingback requests.

Add the following to the top of your .htaccess file:

<files xmlrpc.php>
order deny, allow
deny from all
</files>

The attack will now have less effect on your server load.

Once the attack is over, you may remove deny code if you need XMLRPC services active on your WordPress site. There’s a 95% chance you can leave it there with no noticeable effect at all.

Blocking the DDOS Attack using CSF

If you use CSF, you may still want to block the IP addresses of the attacking botnet. It’s quite easy to do.

Here is a bash one-liner that will do the job for you in real-time:

tail -f /var/www/vhosts/yourdomain.com/logs/access_log | grep "\"WordPress/" | grep -v "POST " | awk '{print $1}' | while read IP; do /usr/sbin/csf -td $IP 7d BlockPingback; done

There is some satisfaction in having the IPs permanently blocked. You can add the resulting IP block to your deny files on all servers and accounts.

It does make sense as all the attacking WordPress sites are clearly compromised and will no longer be a problem (for you at least) if permanently blocked from your server.

Problems Sending Mail – Receiving is Fine?

emailOutgoing Emails Blocked by Spamhaus

Error: Cannot send emails: 451 http://www.spamhaus.org/query/bl?ip=xx.xx.xx.xx

If you cannot send mail, the problem is likely a restriction by your ISP (Internet Service Provider) as many block the normal sendmail port 25, due to their own security concerns.

This can be the case even if sending was working recently as some ISP’s roll these changes through without warning.

Simply changing to port 587 will resolve the problem for you.

Below are our recommended outgoing SMTP settings:

  • Incoming Server: mail.your-domain.com
  • Outgoing Server: mail.your-domain.com
  • Username: Your full e-mail address
  • Password: Your e-mail account password
  • Incoming Port: POP3 110 or IMAP 143
  • Outgoing Mail server (SMTP) Port: 587
  • SSL: NO
  • SMTP Authentication Required: YES
  • Secure Authentication (SPA): NO

If you are unsure how to make the above changes, we recommend reviewing: