Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Encryption Security IT

SSL Certificates For Intranet Sites? 286

Posted by kdawson from the matter-of-trust dept.
wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."
This discussion has been archived. No new comments can be posted.

SSL Certificates For Intranet Sites? More

SSL Certificates For Intranet Sites?

Comments Filter:

  • Seriously? Do your own job. (Score:5, Interesting)

    by spydum ( 828400 ) on Tuesday November 23, 2010 @12:18PM (#34318684)

    Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

    I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

  • Re:Seriously? Do your own job. (Score:2, Interesting)

    by Gothmolly ( 148874 ) on Tuesday November 23, 2010 @12:43PM (#34319156)

    Its a new trend I think, fed by the chorus from management that "IT is easy" - so they find cheap talent who live by Googling answers. Nobody designs anything anymore.

  • Re:Private Certificate Authority (Score:2, Interesting)

    by ayvee ( 1125639 ) on Tuesday November 23, 2010 @01:14PM (#34319758)
    This may be noobish, but is there some way to set up a certificate authority, have its verification key (V) be publicly available from a website or something, and have V signed by (say) Verisign?

  • Re:Private Certificate Authority (Score:4, Interesting)

    by TheLink ( 130905 ) on Tuesday November 23, 2010 @01:58PM (#34320372) Journal

    Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

    And there's the big difference.

    The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

    No, the way to do what the main requester wants is to get a free cert whose CA is recognized by most popular browsers. You can get some from: http://www.startssl.com/ [startssl.com]
    Their "product" comparison: http://www.startssl.com/?app=40 [startssl.com]

    You might be able to get free certs from elsewhere.

    Apparently some sites sell rapidssl wildcard certs for cheap. I can't remember which ones. Can't find them via Rapidssl's own website for some reason ;).

    You have to understand the truth of the matter. Most people dealing with https don't really care that much about security. All they want is not to have those scary browser warnings.

    If they really cared about security they would realize that most popular browsers by default do not warn you if a site's CA has changed, or a server cert has changed rather prematurely (I use certificate patrol for that). And that as long as this remains true, all the talk about https security is just talk.

    So people should just solve the submitters problem, and implying he's incompetent or even calling him incompetent. Because how many of you are relying on https to keep stuff safe and have CA certs in your browser from CA's you do not trust?

    FWIW how many of you really trust Verisign? Stick your hand up if you're that incompetent ( http://en.wikipedia.org/wiki/Verisign#Controversies [wikipedia.org] ). Guess who signs zillions of certs though, and what happens if you don't tell the browser to trust Verisign's certs. Guess who signed a fake Microsoft's cert? http://www.cert.org/advisories/CA-2001-04.html [cert.org]

    So just accept that those certs are mainly to make people feel safe and make the browser warnings go away.

  • Re:Untrusted certs should not raise an alarm (Score:1, Interesting)

    by Anonymous Coward on Tuesday November 23, 2010 @02:57PM (#34321308)

    The above is in no way plus 4 insightful. That poster has no clue what they speak of.

    "But they don't authenticate the remote site."
    Wrong: Browsers check that the certificate matches the domain that served it, and that the said certificate was issued by a trusted certificate authority. Without those steps, malicious sites would have to hijack DNS entries for target domains, and use either self-signed certificates or certificates signed by non-trusted CAs.

    "The protocol should also have some reasonable way of doing rollover"
    It does: Look up "SSL renegotiation"

    "is this site using the same certificate as the last time I connected to it"
    Learn how it works before speaking: A site can change its certificate at any time. In fact, some certificates are intentionally short-lived and are replaced frequently. So the bottom line question is "does it matter if the certificate presented is identical to the previous one for this site?" In truth, it doesn't. So the best thing for browsers to do to fit 99% of usage patterns it so validate the certificate for the given session against the know certificate authorities. And that's exactly what happens today.

    To call it all a scam while being so uninformed is.. well.. either from a naive kid, or typical internet trolling.

  • 300+ comments later... (Score:2, Interesting)

    by cormandy ( 513901 ) on Tuesday November 23, 2010 @05:52PM (#34323750)

    It has been said about 300 times here already: install an internal certificate authority and push the CA certificate out to all of your browsers....
    The cheap option is to use an open-source SSL CA; a client of mine (one of the planet's most profitable law firms) was using Verisign to sign internal certs, partly out of laziness, for internally protected (https/SSL) apps. I recommended an internal cert auth and their security gurus deployed an open source CA. They pushed the CA cert out to the worldwide desktops via Windows Group Policy so that the browsers would recognize the signing authority. worked a charm: all internal certs signed for free. Lots of money saved...
    For another client (big company that manages railway infrastructure on a big island in the Atlantic), we deployed the Oracle "Certificate Authority" (Part of Oracle Identity Management) - don't laugh - and it worked as well. Needed to push the CA certificate out to the desktops via Windows Group Policy. Also worked a charm.
    Only fools use public cert auths such as Verisign to sign internal-facing certificates.
    Both clients had it on their "to do" lists to deploy the MS Certificate Authority, but is was deemed low priority, so another solution was needed...

Slashdot Top Deals

Today is a good day for information-gathering. Read someone else's mail file.

Close