SSL Certificates For Intranet Sites?

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

Private Certificate Authority

[LostOne]

Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

Re:Private Certificate Authority

[Anonymous Coward]

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

Re:Private Certificate Authority

[Anonymous Coward]

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

Damn, over in two posts.

Re:Private Certificate Authority

[pla]

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

Before snarking on the FP author, perhaps you should actually read the FP's question?

Re:Private Certificate Authority

[Yaa 101]

Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

I do not know any other way to do this automatically.

Re:

[Yaa 101]

A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

Re:

[apparently]

A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

That only works if you're also fine with local users having the privileges to install software on their workstations. So you're only trading one security issue for another.

Re:

[Anonymous Coward]

Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

As soon as a new pc joins the domain, the internal CA root cert is installed.

Re:

[Bill, Shooter of Bul]

Yeah, but then you have to use IE.

Re:

[fuzzyfuzzyfungus]

AD's set of default group policy templates only makes it trivial for IE; but you can also impose login, logoff, startup, shutdown, and a bunch of other locations for running arbitrary scripts/programs.

Most browsers, and any other programs that have SSL-related business, either store their set of trusted certs/authorities as a set of certificate files in some reasonably easily discoverable directory or piggyback IE's settings. If the former, you just execute a trivial file-copy script via group policy any

Re:Private Certificate Authority

[Anonymous Coward]

Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

Re:

[Anpheus]

Yes! I've discovered lately when evaluating Chrome for workstation use that Chrome now has a (ever-growing) list of group policies available. Grab the adm/admx [chromium.org] templates and MSI installer and check them out.

Coincidentally, the latest Chromium/Chrome Canary/Chrome Dev builds also started ignoring IE's trusted zone lists and so windows integrated authentication (Kerberos Negotiate) stopped working. Boo. Supposedly there's a new policy that I can set to fix this. I reported the issue [google.com] but am waiting for clarifi

Re:

[wkk2]

Get a low cost email certificate, create a self signed root certificate authority (best done on a smart card or other protected hardware) and distribute your root certificate via signed email.

Many appliances don't have an API for anything except an internally self signed certificate. So in many cases you will be stuck with the warnings.

Re:

[ayvee]

This may be noobish, but is there some way to set up a certificate authority, have its verification key (V) be publicly available from a website or something, and have V signed by (say) Verisign?

Re:Private Certificate Authority

[TheLink]

Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

And there's the big difference.

The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

No, the way to do what the main requester wants is to get a free cert whose CA is recognized by most popular browsers. You can get some from: http://www.startssl.com/ [startssl.com]
Their "product" comparison: http://www.startssl.com/?app=40 [startssl.com]

You might be able to get free certs from elsewhere.

Apparently some sites sell rapidssl wildcard certs for cheap. I can't remember which ones. Can't find them via Rapidssl's own website for some reason ;).

You have to understand the truth of the matter. Most people dealing with https don't really care that much about security. All they want is not to have those scary browser warnings.

If they really cared about security they would realize that most popular browsers by default do not warn you if a site's CA has changed, or a server cert has changed rather prematurely (I use certificate patrol for that). And that as long as this remains true, all the talk about https security is just talk.

So people should just solve the submitters problem, and implying he's incompetent or even calling him incompetent. Because how many of you are relying on https to keep stuff safe and have CA certs in your browser from CA's you do not trust?

FWIW how many of you really trust Verisign? Stick your hand up if you're that incompetent ( http://en.wikipedia.org/wiki/Verisign#Controversies [wikipedia.org] ). Guess who signs zillions of certs though, and what happens if you don't tell the browser to trust Verisign's certs. Guess who signed a fake Microsoft's cert? http://www.cert.org/advisories/CA-2001-04.html [cert.org]

So just accept that those certs are mainly to make people feel safe and make the browser warnings go away.

Re:

[TheLink]

Oops I meant to type: "and stop implying he's incompetent". Somehow the stop got deleted...

Re:

[Yaa 101]

You are right but it is only cost neutral for a certain size of company, large ones are better off doing in house CA practices and the price of a CA is often too steep for small companies.

Are you seriously that dense?

[apparently]

FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks." Before snarking on the FP author, perhaps you should actually read the FP's question?

So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?"
Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow.

Re:

[chill]

I interpreted "manually distributing your certificates and CRL" as "walking it around".

He could e-mail the cert to everyone with instructions to have them install it.

He could also push a customized version of IE or Firefox with the cert and CRL already in the store.

Re:

[alta]

NO kidding... so many ways to do this...

Even if he's running linux clients there's tons of way to have the clients do this, even if it's as low tech as'

Everybody copy and paste this into a terminal

yum install -y http://intranetserver/company-certs.rpm [intranetserver]

Re:

[ImprovOmega]

that don't involve manually distributing your certificates and CRL to every workstation in the company

So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.

Re:

[Provos]

Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.

Re:Private Certificate Authority

[Xonstantine]

If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

Re:Private Certificate Authority

[BagOBones]

You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.

Re:

[KevMar]

If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.

Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).

The cost is that of another server (or a few servers for a large organisation).

Re:

[rickb928]

We don't manually distribute certificates or CRLs here. Software distribution for all other purposes also serves that one.

Being snarky and encouraging the poster to indulge in a more fully-featured systems management environment is appropriate here. If you want to leave the porch, you'll have to run like a big dog... Otherwise, stay home.

Re:

[Minwee]

Remotely update large numbers of workstations without having to sit at every desk in the company is just one of those things that sysadmins do. If you can't do that then you should focus on learning how to do it first and worry about how SSL certificates work later.

Re:

[kingramon0]

If it's a Microsoft shop, you set up a Certificate Authority (free) and distribute it to clients via Group Policy. Done. No manual distribution.

Re:

[Eil]

It's impolite, but the truth. If your job entails running a company's computer systems, you should already know (or be able to Google) the fact that you either have to pony up for SSL certs or generate and distribute your own. There is no in between. In systems administration, the question of "how do we solve this?" is almost always answered by "rolling our own" or "paying someone".

Re:

[Eric(b0mb)Dennis]

Haha, hilariously true.

I knew nothing about certificate's, certificate authorities, certificate servers and running your own private certificate authority, but I was curious.. (This was as I read the original question, before the comments) so I went to wikipedia and spent about 2 minutes reading about SSL certificates until I started reading http://en.wikipedia.org/wiki/Certificate_server [wikipedia.org], and noticed the Open Source Implementations part...

Immediately I thought, "Why can't you just run your own certificate

Re:

[teh kurisu]

When did asking a question cease to be a valid method of finding things out?

I mean, it's great that you can find information like this from Google or Wikipedia, but it can be a risky strategy, and you might end up following a howto that results in a non-optimal implementation, or lacks crucial information, or doesn't adequately detail the pitfalls of a particular method. Or maybe you're like me, and sometimes you just can't think of the right search terms to use.

I would have thought that Slashdot would be

Re:

[fast turtle]

Which is actually Redundant as the OP question specified

Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company?

Re:

[MrMarket]

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

You are assuming that this is a centrally controlled provisioning environment. This does not work in a setting where people bring their own computers - like in a university classroom.

BTW - why are you such an @sshole? The whole point of ask slashdot is to generate discussion about how to solve problems - not attract personal character attacks from ACs.

Re:

[corbettw]

Doesn't mean he's wrong. Seriously, this is SSL 101, and anyone tasked with setting up SSL-protected websites should've intuitively known the answer before the question was even asked.

Re:

[Reece400]

http://www.namecheap.com/learn/other-services/ssl-certificates.asp [slashdot.org]>NameCheap Found them only recently, prices were so much lower we weren't sure, but they work fine.

Re:

[Reece400]

http://www.namecheap.com/learn/other-services/ssl-certificates.asp [namecheap.com] I messed that link up some how.

Re:

[amorsen]

The available certificate servers which are Free Software tend to be rather user-unfriendly. Maintaining certificate revocation lists and handling certificates for different purposes (mail, web, code, client authentication, vpn...) are needlessly time-consuming chores. Obviously any competent system administrator can script their way out of it, but in this case it is a rather large effort.

I would be very happy to hear about an easier solution.

Re:Private Certificate Authority

[Shawn is an Asshole]

TinyCA2 [sm-zone.net] is rather easy to use.

Re:Private Certificate Authority

[Trevelyan]

10secs of googling gave me this:

• MS internal CA management tool howo [blogspot.com] (not tried)
• Similar for Linux (UNIX) [openvpn.net] (used often)

Re:

[JohnnyKlunk]

Can confirm, if they're MS machines in a domain with active directory this is free and simple.

Re:

[Killer Orca]

Thanks for the links, very informative. I have the same basic question as the submitter but with a slight variation: Do the certs get installed on the computer or printer if you want to make the https web management feature not give you that warning?

Re:

[Baba Ram Dass]

It's what my company does, and it works great. Except those of us that use Firefox. (Though that wouldn't be a problem if the security dept. supported non-IE browsers.

Re:

[Bengie]

Chrome mirrors my Windows certs, just like IE does. Why doesn't FireFox do this?

Just seems like FF doesn't want to be used in the enterprise.

I don't use FF, so I probably don't know how to set this up, but really, why should you have to jump through hoops? Should be defaulted on.

Re:

[rjstanford]

Why go to the trouble? Buy a single wildcard cert from RapidSSL (they're not expensive), and install it everywhere. Just sayin'.

Re:

[FreelanceWizard]

Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec

Re:

[SIGBUS]

Not only that, but if you're don't feel like using using the OpenSSL command line, you could always use a GUI front-end like TinyCA [sm-zone.net] to make life easier. On Ubuntu, it's available prepackaged.

Re:

[sprior]

Anyone figure out how to add certificates or authorities on Android?

Re:Private Certificate Authority

[MeanMF]

Yeah AD group policy can do this very easily, no scripts required. http://technet.microsoft.com/en-us/library/cc772491.aspx [microsoft.com]

Re:

[rjstanford]

And to those of you here who claim "half a brain": please remember that you yourselves may someday need to do something (legal, financial, educational, even technical) for which you are less than half competent. Yes, you have achieved a "win" in humilating a sincere poster, but it's the cheap victory enjoyed only by the pusillanimous.

Here's the deal. Either this person is administering a smallish number of machines, in which case he/she can simply go 'round and install certificates on all of them, or they're administering an assload of them, in which case they do indeed deserve the scorn for not being willing to do a modicum of research and choose the standard approach.

Your defense only works if they're in charge of too many machines to administer manually, but yet have no experience doing so - a situation which is highly unlikely. It

Inexpensive 3rd Party Solution

[schi0244]

https://www.startssl.com/ [startssl.com]
An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

Re:

[bunratty]

Whoa! Now if only there were a way to set up my website so all traffic would be encrypted so FireSheep attacks wouldn't work, that would be even better! Does anyone know how I could do that?

Re:

[__aamnbm3774]

a proxy outside your network would work.
it's not like firesheep is a new concept or anything, just a tool that makes it even easier to snoop than before.

Re:

[bunratty]

Whoosh! Why not use an SSL certificate from StartSSL?

Re:

[__aamnbm3774]

i guess i should start assuming all stupid posts are meant to be sarcastic?

to the overuse of whoosh!

Re:

[yakatz]

I use StartSSL for tens of certificates on all manner of internet and intranet sites.
I had to install their root certificate on Windows 2000, but any computer that gets regular windows updates should have had it since last year.

They don't charge for certificates, they charge for work a person has to do: verifications.
Meaning, if they have to call you, it will cost, but you can get regular certificates for free.

Re:

[nabsltd]

I use StartSSL for tens of certificates on all manner of internet and intranet sites. I had to install their root certificate on Windows 2000, but any computer that gets regular windows updates should have had it since last year.

I'll jump on the StartSSL praise train, too. For $50/year, you get unlimited SSL certs for any domain you control, or personal authentication certs (i.e., e-mail) for any e-mail address you control. The certs can include wildcarding, multiple domains per cert, and lots of other features that other CAs charge an arm and a leg for.

I noticed that I had to install their CA cert when I was using their completely free certs, but their class 2 certs were issued by a different CA that was already in IE and Firefo

Re:

[bastion_xx]

Again, another fan of StartSSL. User of both server certs and client certs for personal and business use. Their cost model is much more inline with reality than Verisign or the others... Plus, EV certs if you need them.

Why are you clicking through that box every time?

[jandrese]

Every browser has a way to store the security exceptions so that you don't get that warning every time. Just set the box up on a private network the first time to avoid a MitM attack and store the cert. If you ever get another warning about an untrusted cert from the box, then you might have a MitM attack going on, but otherwise if the cert matches you're fine.

You could also set up your own local root authority (most larger companies do this) and make your own certs.

Re:

[KevMar]

Check the name on the cert. if it is self signed, then you just have to deal with it. But if it is root signed, look at the site name. If you can find a way to use that site address to access the device then you will not get prompted.

My home router has a valid cert, but I would use the ip address and get prompted every time. I ended up making an entry in my host file for "linksys" at that address. Now when I go to https://linksys/ [linksys] everything is ok.

At the end of the day, remember the whole reason these d

Re:

[jdew]

HP lights out boards don't retain the self generated cert between power failures. So when power returns you get a different cert, and the exception now needs to be removed and readded.

Re:

[jandrese]

I don't know about your corporate policies, but if the main IT department doesn't want to deal with it, you could set up your own root cert for your department and just use that. Presumably you have a bit of internal server space somewhere that you could host it on. They're not really that hard to set up, there are a lot of tutorial online that will help you.

Is free cheap enough?

[multipartmixed]

http://startssl.com/ [startssl.com]

Re:

[miaDWZ]

http://startssl.com/ [startssl.com]

mod parent up - great service.

Re:

[bradgoodman]

I do not see "startssl" listed in the list of built-in root certificates under Firefox.

Does this mean that if third-party users access my web site, they will be "stopped" with the typical warning that the site is secured with an unknown certificate - and make them go through the ususal steps to add it, etc?

Or will it just "work". Will they get the nice colored emblum on the address bar saying "Verified by: startssl", etc?

In otherwords - will it be any better, or more transparent to the user than they

Re:

[oracleguy01]

It is built into Firefox. StartSSL is where I get the SSL certificate I use for my SVN server, works great. I know the root certificate is in Firefox from at least 3.0 forward.

Re:

[heypete]

If by "nice colored emblem", you mean the blue indicator next to the address bar and the padlock icon in the bottom-right, yes. It works fine. No scary warnings or anything. Such standard SSL certificates are fully trusted by Firefox, and are free of charge.

If, however, you mean the green Extended Validation indicator next to the address bar, this also works fine, but costs a bit of money. Not a big deal.

Either way, the browser will trust the cert without warnings.

Yes, it will be more transparent to the use

Set up your own CA.

[SuperBanana]

http://lmgtfy.com/?q=how+to+set+up+a+certificate+authority [lmgtfy.com] Then distribute the *organization's* cert to all the servers and clients. If you have a few clients or don't get many that fast, just do it by hand. If you have hundreds of computers or lots of turnover, you should be running central config management anyway. MIT for example distributes an MIT cert. Presto, everything on campus is protected. It's partially a question of tradeoffs: sign a cert by a CA already trusted for $$, or make your own CA

Solution for windows and IE

[daniel_zy]

On window the list of CA on the machine can be centraly maneged...

PKI in a web page

[rich_salz]

You might find my "PKI in a web page" useful. It doesn't require sending all certs to all browsers, just the one internal CA cert and includes step-by-step screenshots on how to do that. See https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10?lang=en [ibm.com]

Cheaper service.

[daid303]

Find a cheaper service. We payed something like 500 euros for a 5 year SSL certificate.

Wildcard Cert

[Kagato]

Go for a cheapie wildcard cert. That will cover all your intranet needs.

A private server?

[kimvette]

For a private (e.g., not ecommerce, banking, etc.) web site, just create a certificate authority and use self-signed certificates, and send an email to the users covering the installation of private certs in MSIE, Firefox, Chrome and Safari. Don't waste your money on a versign cert because all it does is eliminate the warning for a price, whereas your users can eliminate it for free. Why add the tracking of additional "licensing" fees to your workload?

If it's public-facing then by all means buy the cert to

Re:

[GNU(slash)Nickname]

... just create a certificate authority and use self-signed certificates, and send an email to the users covering the installation of private certs in MSIE, Firefox, Chrome and Safari. Don't waste your money on a versign cert because all it does is eliminate the warning for a price, whereas your users can eliminate it for free.

Seriously? Let's assume an organization with only 100 employees. If just 10% of them require help setting this up, at say 15 minutes user time lost buggering around, plus 15 minutes support from the helpdesk, then you've lost 4.5 hours of total productivity. That covers the cost of a wildcard cert for your internal domains for a year. (Maybe not from Verisign, but certainly from someplace sane.)

Of course, in the real world, at least half of the users won't bother installing the cert, leaving them vulner

Seriously? Do your own job.

[spydum]

Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

Re:Seriously? Do your own job.

[rainer_d]

That's the "I'm feeling lucky" google-fed generation.
If it's not on the first page in google results, go and ask in a forum.
Though, that's actually old-school, sort-of - people tend to ask in their twitter feed nowadays...

Re:

[Gothmolly]

Its a new trend I think, fed by the chorus from management that "IT is easy" - so they find cheap talent who live by Googling answers. Nobody designs anything anymore.

Re:

[Aggrav8d]

Worse than crotchety.
You're chastising someone for using every method at their disposal to learn what they need to know, while telling them they need to go figure it out for themselves.
Your answer is akin to saying "I have enough time to answer you and yet I don't want to help you."
Do you advocate building your own car instead of taking public transit?

Besides! All those spoon-fed tools will need your $250/hr consultation expertise when things go wonky, right? More experts means less money in your poc

Re:

[Dystopian Rebel]

Next on Ask Slashdot: "In the enterprise, what is the easiest way to get spoon-fed solutions without driving away the old, crotchety guys who know the answers?"

Re:

[goldspider]

"I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there."

You mean "research" like asking questions to a knowledgeable community?

"Am I just getting old and crotchety, or is this a new trend?"

There's nothing new about obtuseness for its own sake, especially in the IT world. If you won't contribute anything constructive or helpful, please save yourself the effort entirely.

Re:

[Eric(b0mb)Dennis]

It's not really googling answers that's the problem.

It's that people are working jobs that they have no passion for.

When you love what you do, you want to always learn more. I've worked IT for a small company and googled a lot. I winged a lot of the job using google.. but I didn't google for forums or quick answers. I would educate myself. I would teach myself using the wealth of resources available on the internet and find I'd be able to get anything done if I put my mind to it. For the few odds and e

EJBCA

[rainer_d]

http://ejbca.sf.net/ [sf.net]

In it's easiest form (everything on one host), it should be easy enough to implement.

Troll Tuesday hits Ask Slashdot!

[peacefinder]

Congratulations on getting your story accepted to the front page!

Dozens of man-hours will now be spent explaining basics of inhouse certificate authorities and self-signing, along with comments on your lack of basic research, intelligence, qualification for your position, and legitimate parentage.

Lose that constraint; it's holding you back

[Sloppy]

..that don't involve manually distributing your certificates and CRL to every workstation in the company?

Here's where you went wrong. If you insist on keeping this constraint at any cost, then you have lost. Pay that cost (you don't get to have intranet sites) instead of getting what you want, and accept that you got the lesser of two "evils" (from a very perverted point of view).

The main problem with looking at it that way, is that you (or someone) already did what you claim you want to avoid. Those wor

non-domain URLs

[Khopesh]

The biggest problem is in off-the-shelf appliances (like wifi routers) for the whole spectrum (from personal to enterprise); they don't have domain names, so you can't have an internal CA root blessing them (at least, not out of the box), and a non-enterprise location can't easily do that.

One solution could be to bundle a CA root into the router. Initial setup would involve picking an internal TLD (with a randomly generated suggestion so we don't have everybody using "home" or "linksys"), then the CA roo

Try $40

[sherriw]

$400 is the price of name recognition. I use GoDaddy certs and they are 1/10 the cost. All you need for any purpose.

For some of my stuff I use the shared cert that my host provides. Still secure but throws that bloody warning. At least firefox let's me permantely store the certificate exception.

Stupid pricing..

[Bert64]

First, $400 is a stupid price to pay for an SSL cert, many providers are much cheaper...

Some cert providers (Eg startcom) will provide unlimited certs under a particular domain, so assuming you use the same domain internally its quite easy to generate more certs for the same price you paid for your external certs.

On the other hand, if its internal to your network why don't you create an internal certificate authority and just ensure its root cert is trusted by all your devices.

I find this browser behavior annoying.

[Lord Byron II]

Surfing without encryption opens you up to eavesdropping and spoofing.

Surfing with encryption protects you from eavesdropping and spoofing.

Surfing with a self-signed encryption protects you from eavesdropping, but not spoofing, since you don't know who the signer is.

Yet, Firefox treats self-signed certificates as if they were worse than no encryption at all. The default behavior should be to treat self-signed certificates as if there was no encryption at all (from a user perspective). To give users these di

Set up your own CA

[Todd Knarr]

If it's an enterprise using domains, set up your own CA and create your own CA signing certificate. Push that certificate out into the root certificate bundle or database for your browsers etc., and use it to sign all your server certificates. Since browsers can validate your server certificates, they won't complain. Have the certificate available for importing into browsers that don't accept automatic pushes. That should solve the problem, at least internally.

Yes, I buy SSL, but not for $400/yr

[leamanc]

Most of my company intranet is plain http. There are two parts that we encrypt with SSL. First is the optional login widget on the intranet front page. Employees can customize their front page if they choose to login, but it's not required. But since we use a single sign-in type of situation, where many services are authenticating against the same LDAP service, we feel like we should keep that password encrypted, even on pages not available to the outside world.

The second page that is https is a web for

Self-signed works, you just have to approve once,

[Anonymous Freak]

Once per browser, that is.

My company's web-managed product just uses self-signed, with the option to add a third-party signed if the customer is willing to pay for and install it themselves.

Why does this always get marked troll?

[Kupfernigk]

I've seen similar comments get marked troll before. Yet for many websites, the direction of trust is from them to you. If you want to log in to my website, which provides information, I store no personal information other than a user name and password. I have to trust you before giving you the information you want.

What we actually have here is a psychological issue - the cert vendors want you to believe that anyone who doesn't buy their certs is a potential criminal. The rule should simply be "no financial

Re:

[Eunuchswear]

The rule should simply be "no financial transactions or personal data on a site without an entrusted cert".

But do you trust some random idiot who paid some money to Verisign?

Do Verisign promise to reimburse you if the person they sold a cert to turns out to be a crook?

Re:

[0123456]

But do you trust some random idiot who paid some money to Verisign?

No, but I trust them a lot more than an unsigned certificate that says 'I really am your bank, honest'.

Re:

[Matheus]

I don't believe so BUT what they are selling is a certain lack of online anonymity. If the person they sold the cert to IS a crook then you now know where to find them.

Anyway... my favorite thing to talk about these days: Being that I work for a company in the business of selling security you get a pretty clear picture very fast that all security is a false sense of security. At that point you can either go hide yourself in a bunker somewhere in your tin-foil hat OR you can come to terms. Given my choice

Re:

[0123456]

I've seen similar comments get marked troll before.

Because it's retarded.

Re:

[AusIV]

There absolutely needs to be some kind of warning for untrusted certs. I can see an argument that the current solution is overkill (I disagree), but treating it the same as an HTTP page gives users no easy way to check whether or not they should trust the connection.

Now, I'm of the opinion that browsers handle untrusted certs as well as they can with current technology. Time and time again, end users have shown that they'll click through simple warning dialogs and send their data to phishers. When a server

Re:

[GameboyRMH]

Time and time again, end users have shown that they'll click through simple warning dialogs and send their data to phishers. When a server establishes an HTTPS connection with a client, it's telling the browser that this should be a secure communication, and sensitive data is going to be transmitted. If the browser can't validate that the connection is trusted, the user needs to know something is wrong.

That browser behavior is what needs to change. When accessing a site with an untrusted cert, the browser should act like it would with a plain HTTP connection. No padlock, no blue/green address bar, no indication of enhanced security, but no warning - maybe it could show a status bar icon, a padlock with an exclamation mark or something, as a little unobtrusive indication that the certificate is untrusted, but it shouldn't interfere with the browsing experience by stopping the page from loading and displayi

Re:

[GameboyRMH]

I don't know why I'm getting modded troll, or offtopic of all things, so let me clarify:

Browsers should treat untrusted certs the same as unencrypted pages - they're at least as secure [as unencrypted pages], possibly more secure than "trusted" certs (such as me connecting to my home server with a self-signed cert, I can be certain no third parties, even governments, could illegally obtain the certificate and perform a MITM).

Re:Untrusted certs should not raise an alarm

[Eunuchswear]

This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

The only thing the "trusted authorites" confirm is that the person who has the cert paid for it.

Some trust.

The whole SSL certificate crap is a scam. The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

(The protocol should also have some reasonable way of doing rollover, like presenting a new certificate in the session "this is what we're going to be using starting...").

That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

But they don't authenticate the remote site. They just check that the remote site has a certificate signed by one of those super trustworthy people like Verisign or the government of China.

Re:

[Tom]

The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

Perspectives [cmu.edu] does that, and then some.