22 Jun, 2020

Quttera Offers Free, Simple SSL Management for ThreatSign Users

These days, maintaining an SSL certificate without letting it lapse is vital. The Quttera ThreatSign DNS WAF protects you against a broad range of threats and offers you free SSL management.
Let's Encrypt will give your website a signed SSL certificate for free. You may be wondering, "What's the catch?" There are some limitations, but it is free and fully functional. The difficulties are almost nonexistent if you have Quttera's ThreatSign Website Security and DNS Web Application Firewall.

We take care of it all for you. Once you've set up some simple domain configuration, our SSL management installs the certificate and keeps it current. You get encrypted connections for all the pages on your domain without having to set up anything more. Your customers can be confident that no one is intercepting their communication with your site.

This is in addition to the website protection you get from the WAF. All your incoming traffic is checked for malicious packets, which the WAF blocks before they can touch your server.
Free Certificates from Let's Encrypt
Once upon a time, secure communication with a website was a luxury. As online crime has grown, it's turned into a necessity for all kinds of sites. Sites without security are vulnerable to intercepted communication and man-in-the-middle attacks.

However, cost and complexity have been issues for individuals and small organizations. The Let's Encrypt project began in 2012. Its goal was to put signed SSL/TLS certificates within reach of everyone who operated a domain at no cost. Since then, it has issued over a billion certificates.

Creating a certificate is simple. You can do it on your own computer. The issue is validating it. An unsigned certificate can be a forgery. Certificate authorities (CAs) confirm through digital signing that the certificate is under the domain owner's control. A domain with a self-signed certificate is worse than one that uses plain HTTP and will trigger browser warnings.

Let's Encrypt is a certificate authority that issues certificates at no charge. Unlike a self-signed certificate, a Let's Encrypt certificate is recognized as belonging to the domain, just like one from any other certificate authority. Users will see a padlock icon in their browsers.
Limitations
Why would anyone pay for a certificate when this option is available? There are a couple of limitations in Let's Encrypt. Its certificates carry only Domain Validation (DV), the most basic type of validation.
They confirm only that the domain owner has demonstrated control of the certificate, not that the owner is a legitimate organization. Most domains find this sufficient. Organizational Validation (OV) and Extended Validation (EV) require additional verification, and the CAs that issue them charge a price.

The other issue is that Let's Encrypt certificates expire in 90 days. The main reason for this is to minimize the harm that malicious domains and careless handling of certificates can do. An additional reason is to encourage automated renewal. Once automation is set up, it's easy to keep renewing certificates every 90 days, or every 60 to allow a margin of safety.

Not every domain owner can easily set up automation, though. Many rely on their hosting providers, some of whom charge for installation and renewal. Worse yet, some hosting providers aren't reliable about renewing the certificates.

Quttera DNS WAF Makes SSL Management Easy
When you set up Quttera's ThreatSign DNS Web Application Firewall, you get the extra benefit of complete SSL management. By default, your domain gets a free Let's Encrypt certificate. Quttera handles the installation and renewal of Let's Encrypt certificates at no extra charge. If you already use a certificate from a different source, you can keep using it.

If you don't renew your certificate on time, browsers will warn users that your site could be unsafe, even though there's nothing else wrong with it. When Quttera's servers automatically handle renewals, you're safe from this risk.
How SSL Management Works on DNS WAF
When you subscribe to ThreatSign, you can choose from two WAF configurations. You can install the WAF on your own network, with all requests filtered locally. This is called the Endpoint WAF. If you use this option, you are responsible for whatever SSL certificates you want to use. You need to use the Endpoint WAF if your security policies mandate that nothing should be decrypted outside your data centers.

If you choose the DNS WAF, it runs on Quttera's servers. One of its advantages is that Quttera handles your SSL management for you. The DNS WAF offers greater ease of use and scalability than the Endpoint WAF.

When you set up Quttera DNS WAF, you need to configure your DNS records on your domain registrar's site. Normally, the A and CNAME records for your domain would point at your Web server. With the WAF, all requests need to go through Quttera's servers before being passed on to yours. You will set up the A record to point your canonical domain at the IP address Quttera gives you. The CNAME records need to associate your other subdomain names with the canonical record, so that all variants of your domain are covered.

The entity registering or renewing an SSL certificate uses a piece of software called a certificate management agent. It satisfies a challenge from the certificate authority to prove that it controls the domain. Normally, the agent would run on your server. Because the DNS configuration directs requests to the WAF server, it can act in this capacity and satisfy the CA's challenge. It requests the certificate, stores it, and periodically renews it.e, and get you quick removal from blacklists. When you sign up for ThreatSign, you get ongoing, comprehensive protection of your website.
Our Promise to You
Your site's security depends on protecting your SSL certificate. Quttera employs state-of-the-art security to ensure it won't be compromised.

If, for whatever reason, you stop using the Quttera WAF or switch to the Endpoint WAF, you can take control back. You'll direct the DNS A records at your server, and you'll need to request a new certificate from Let's Encrypt or any other CA of your choice. We hope you'll stay with us, but we won't lock you in.

Every business website needs SSL/TLS protection to keep its users' trust and avoid security risks. Let's Encrypt eliminates cost as an objection. The Quttera ThreatSign DNS WAF protects you against a broad range of threats as well as managing all the details of your SSL certificate. You'll spend less time worrying about security and can pay more attention to running your business.
About Let's Encrypt.