×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SSL Certificates For Intranet Sites?

kdawson posted more than 3 years ago | from the matter-of-trust dept.

Encryption 286

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

286 comments

Private Certificate Authority (5, Informative)

LostOne (51301) | more than 3 years ago | (#34317954)

Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

Re:Private Certificate Authority (5, Insightful)

Anonymous Coward | more than 3 years ago | (#34317978)

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

Re:Private Certificate Authority (5, Funny)

Anonymous Coward | more than 3 years ago | (#34318012)

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

Damn, over in two posts.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318074)

Damn, over in two posts.

Don't get your hopes up. This article will be re-posted tomorrow. You must be new here!

Re:Private Certificate Authority (0, Informative)

Anonymous Coward | more than 3 years ago | (#34318096)

Sadly though this is the only way to secure at a low cost. A PKI is not a small feat either, but it is something that you should be using. Not only for web traffic either, a PKI is useful for a lot of things (VPN, RDP, EFS). Plus you can publish through AD DS and this becomes very simple to update and maintain.

Re:Private Certificate Authority (4, Insightful)

pla (258480) | more than 3 years ago | (#34318102)

Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

Before snarking on the FP author, perhaps you should actually read the FP's question?

Re:Private Certificate Authority (5, Insightful)

Yaa 101 (664725) | more than 3 years ago | (#34318256)

Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

I do not know any other way to do this automatically.

Re:Private Certificate Authority (1)

Yaa 101 (664725) | more than 3 years ago | (#34318324)

A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

Re:Private Certificate Authority (2, Insightful)

apparently (756613) | more than 3 years ago | (#34318512)

A variant would work if all browser user were technical enough to download and install a browser, that is a central in house downloadable copy with that root installed in the browser.

That only works if you're also fine with local users having the privileges to install software on their workstations. So you're only trading one security issue for another.

Re:Private Certificate Authority (2, Informative)

Anonymous Coward | more than 3 years ago | (#34318524)

Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

As soon as a new pc joins the domain, the internal CA root cert is installed.

Re:Private Certificate Authority (1)

Bill, Shooter of Bul (629286) | more than 3 years ago | (#34318650)

Yeah, but then you have to use IE.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34319030)

So use whatever software distribution system you use to push your CA cert to everyone's browser. This isn't a new or particularly challenging problem, but it does assume you have some infrastructure in place for managing desktops. If you don't, then users seeing big scary security warnings are the least of your problems.

Re:Private Certificate Authority (5, Informative)

Anonymous Coward | more than 3 years ago | (#34319026)

Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

Re:Private Certificate Authority (1)

xonicx (1009245) | more than 3 years ago | (#34318590)

Certificate is not a single public key but 'chain of trust'. If you get one certificate from a known CA, you should be able to sign more self generated certificates with that.

Re:Private Certificate Authority (1)

Yaa 101 (664725) | more than 3 years ago | (#34318912)

You are right but it is only cost neutral for a certain size of company, large ones are better off doing in house CA practices and the price of a CA is often too steep for small companies.

Are you seriously that dense? (3, Insightful)

apparently (756613) | more than 3 years ago | (#34318338)

FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks." Before snarking on the FP author, perhaps you should actually read the FP's question?

So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?"
Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow.

Great point, but... apk (0)

Anonymous Coward | more than 3 years ago | (#34319376)

"So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?" Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow." - by apparently (756613) on Tuesday November 23, @10:57AM (#34318338)

Per my subject-line, to you? "CORRECTAMUNDO", I agree - those are the EASIEST/SIMPLEST ways to make sure updates/modifications to workstations/servers (nodes on a LAN/WAN) get the changes "automagically"...

LOL! I also took a look @ your post history, and you made me laugh (but, sometimes, not in a good way) - you've got to chill with the "ribbing" & name-tossing etc./et al - you don't NEED to be doing it (well, unless you're attacked that way first I figure).

You've also got to realize that a good # of folks here are NOT experienced network engineers, & many are QUITE "*NIX-centric" also, & don't realize all the "tricks"...

(Yes, I know: /. has a "rep" for having some of the "best & brightest" hanging around on it etc., but, personally? Well of the attendees here, I only give that distinction to a RARE few here (like John Carmack for example, he does post here on occasion) & yes, they've driven me to "ribbing" here before too, but, I try to only do so when someone does that to me, first. LOL, justifying it? Sure!).

APK

P.S.=> All in all, good post on your end though - & remember: You don't have to toss names or "rib" on those who make posts that may come off as "dumb" to you... it only makes you look bad (unless THEY did so to YOU, first - the exception in my book @ least), because the person you posted to may just not be aware of certain things is all! Other than that? Great post/great point... someone mod apparently up... apk

Re:Private Certificate Authority (1)

leptechie (1937384) | more than 3 years ago | (#34318474)

He's suggesting distributing the CA certificates, not the ones shipping with the appliances. And done right, only one (or if you're conscious, two) CA certs need to go into the distribution/build. Very low overhead.
I would even hazard that CRL distribution is not needed if the certs are issued once and all traces (request, key etc) destroyed right away, since then only the Root CA is exposed, and the issued certs are as likely to be compromised as the self-generated ones the appliances have. I know some appliances that won't even let you import private keys, only exporting requests, so even more secure.
It gets me down how complex PKI is perceived to be, but then I'm mystified by my car's cruise control...

Re:Private Certificate Authority (1)

chill (34294) | more than 3 years ago | (#34318490)

I interpreted "manually distributing your certificates and CRL" as "walking it around".

He could e-mail the cert to everyone with instructions to have them install it.

He could also push a customized version of IE or Firefox with the cert and CRL already in the store.

Re:Private Certificate Authority (2, Informative)

ImprovOmega (744717) | more than 3 years ago | (#34318504)

that don't involve manually distributing your certificates and CRL to every workstation in the company

So automate the distribution. Logon script, group policy, OS update patch, software distribution push out, whatever. You do it once and it's done. Then put it on your standard image and never worry about it again.

Re:Private Certificate Authority (2, Informative)

Provos (20410) | more than 3 years ago | (#34318530)

Why do you assume it has to be manually distributed? CRL and Certificates could be distributed through any enterprise desktop management system, such as SCCM or remediation managers such as Hercules.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318552)

You give them too much credence. What the author is asking is for, by saying that they want something that implements an internal SSL infrastructure without having to do anything "manually", is something that does it without any work on their part what-so-ever.

When you tell people like that they will need to distribute one file to all of their workstations (the certificate to the browser) and make some changes to the system (accepting the certificate as valid) they freak out because they don't understand the requirements of their job title. Does "manually" include writing the script to implement it? Ooops, that too means you must know how to run one of those computer thing-a-ma-jigs.

Sorry, but I don't know of anything called work that doesn't require something to be done "manually". I won't be posting for awhile because I'm going to go write an appliance that hacks all other appliances and workstations in order to emplace a full certificate structure. I plan to sell it to idiots who ask these types of questions by telling them that it makes things more secure "automatically" rather than "manually".

Re:Private Certificate Authority (5, Informative)

Xonstantine (947614) | more than 3 years ago | (#34318594)

If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

Re:Private Certificate Authority (3, Informative)

BagOBones (574735) | more than 3 years ago | (#34318950)

You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.

Re:Private Certificate Authority (2, Informative)

KevMar (471257) | more than 3 years ago | (#34318610)

If you make your microsoft certificate authority the domain authority, I think that it will automatically distribute the root cert to every domain joined computer at the next computer policy refresh.

Not only that, but there is a section of group policy just for certificates. It is very easy to work with (if you are using a Microsoft authority).

The cost is that of another server (or a few servers for a large organisation).

Re:Private Certificate Authority (1)

mysidia (191772) | more than 3 years ago | (#34318718)

Yes. Roll it out as part of a web browser software update for Firefox, kind of messy, involves manual work.

For Internet Explorer users, one group policy will update the Workstation's Trusted CA certificates store to include your custom certificate. And IE will use that to validate trust of the cert.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318904)

Oh noes! The asker might *gasp* actually have to do the work implied by their job!!! We can't have that!! I'm sorry, but his question is nothing but asking to have his hand held through an extremely trivial task that anyone with an ounce of competency would have already worked out.

Re:Private Certificate Authority (1)

rickb928 (945187) | more than 3 years ago | (#34319104)

We don't manually distribute certificates or CRLs here. Software distribution for all other purposes also serves that one.

Being snarky and encouraging the poster to indulge in a more fully-featured systems management environment is appropriate here. If you want to leave the porch, you'll have to run like a big dog... Otherwise, stay home.

Re:Private Certificate Authority (-1, Troll)

design1066 (1081505) | more than 3 years ago | (#34318182)

You sir are a Ahole

Re:Private Certificate Authority (2, Insightful)

corbettw (214229) | more than 3 years ago | (#34318240)

Doesn't mean he's wrong. Seriously, this is SSL 101, and anyone tasked with setting up SSL-protected websites should've intuitively known the answer before the question was even asked.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318394)

Yes, I am. The asker is still an incompetent idiot. If I was his employer and saw him asking such basic questions about network management that anyone with a sliver of a brain could work out, we'd be sitting down for a serious talk about his length of stay with the company.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318024)

This.

I run 20 FreeBSD servers on my company's LAN, and I manually create and self sign SSL certs for all my Apache web and Tomcat java servers. No reason not to, as TFS mentions, leave it up to the stupid end users...

Re:Private Certificate Authority (2, Insightful)

amorsen (7485) | more than 3 years ago | (#34318052)

The available certificate servers which are Free Software tend to be rather user-unfriendly. Maintaining certificate revocation lists and handling certificates for different purposes (mail, web, code, client authentication, vpn...) are needlessly time-consuming chores. Obviously any competent system administrator can script their way out of it, but in this case it is a rather large effort.

I would be very happy to hear about an easier solution.

Re:Private Certificate Authority (1)

craftycoder (1851452) | more than 3 years ago | (#34318082)

The OP doesn't want to touch every desktop. I suspect that Active Directory would help with this though. Login scripts or perhaps even registering a CA within the domain that extends to all PCs in the domain.

Re:Private Certificate Authority (1)

Baba Ram Dass (1033456) | more than 3 years ago | (#34318234)

It's what my company does, and it works great. Except those of us that use Firefox. (Though that wouldn't be a problem if the security dept. supported non-IE browsers.

Re:Private Certificate Authority (1)

rjstanford (69735) | more than 3 years ago | (#34318246)

Why go to the trouble? Buy a single wildcard cert from RapidSSL (they're not expensive), and install it everywhere. Just sayin'.

Re:Private Certificate Authority (2, Informative)

FreelanceWizard (889712) | more than 3 years ago | (#34318318)

Indeed. An "enterprise PKI," as Microsoft likes to call it, handily solves this issue. Just add the root CA and intermediate CA certificates to the computers via Group Policy -- just as you would if you needed to trust a novel CA (such as, for instance, the DoD CAs). As an added bonus, if you activate auto-enrollment on Windows, your users get access to encrypted and signed e-mail, and you can trivially kick PPTP VPNs to the curb and use IKEv2 or L2TP instead. With a little more work, you can even get IPSec working. From a browser perspective, most if not all Windows browsers rely on the platform's cryptography infrastructure, so there's no need to install the certificates in each browser.

Unfortunately, while the Microsoft CA is relatively easy to use, using it for anything non-trivial requires the Enterprise or Datacenter edition of Windows Server. This is because you can't modify the certificate templates on lesser editions, and you need those to set up specialized certificates for, say, Configuration Manager.

If you're manually distributing certificates in any Windows infrastructure, you're doing it wrong.

Re:Private Certificate Authority (0)

Anonymous Coward | more than 3 years ago | (#34318360)

This is what we do. Certainly your solution (and the one we use at work) can also remove the manual distribution by simply checking the correct boxes in Group Policy in Active Directory and the certificates and all are distributed to any domain joined machine. For those non-domain joined machines it is, unfortunately, a manual process to get the certificates into the trusted store on the machines.

Re:Private Certificate Authority (1)

SIGBUS (8236) | more than 3 years ago | (#34318406)

Not only that, but if you're don't feel like using using the OpenSSL command line, you could always use a GUI front-end like TinyCA [sm-zone.net] to make life easier. On Ubuntu, it's available prepackaged.

Re:Private Certificate Authority (1)

mysidia (191772) | more than 3 years ago | (#34318688)

Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

If using Microsoft Internet Explorer, one group policy entry will distribute the CA certificate to all domain computers.

It's one of the things Firefox users have a hard time with, since there's no central management, they have to put up with SSL warnings on the intranet sites. Which is one of the unfortunate reasons Internet Explorer use is required in some organizations.

Enterprise CA is a standard part of modern enterprises that have intranets

Re:Private Certificate Authority (1)

lazyforker (957705) | more than 3 years ago | (#34318888)

This is exactly what I was going to say. If you're using Windows workstations in an Active Directory domain this is a fairly straightforward piece of work. Create your own CA. Add the CA's cert to the Trusted Root store on workstations using GPOs. Done. We actually have this configuration - it automates a lot of cert management processes. I can't imagine that it's much harder in a Linux/Unix/Mac OS X environment.

Wildcard cert (1, Informative)

Anonymous Coward | more than 3 years ago | (#34317984)

*.internal.example.com

WHAT THE FUCK ARE YOU THAT LAME ?? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#34318004)

If ya can not protect your inside from your inside you are, how you say, fiucked already !!

Inexpensive 3rd Party Solution (4, Informative)

schi0244 (1198521) | more than 3 years ago | (#34318018)

https://www.startssl.com/ [startssl.com]
An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

Re:Inexpensive 3rd Party Solution (1)

bunratty (545641) | more than 3 years ago | (#34318482)

Whoa! Now if only there were a way to set up my website so all traffic would be encrypted so FireSheep attacks wouldn't work, that would be even better! Does anyone know how I could do that?

Re:Inexpensive 3rd Party Solution (1)

berwiki (989827) | more than 3 years ago | (#34319116)

a proxy outside your network would work.
it's not like firesheep is a new concept or anything, just a tool that makes it even easier to snoop than before.

Re:Inexpensive 3rd Party Solution (1)

bunratty (545641) | more than 3 years ago | (#34319228)

Whoosh! Why not use an SSL certificate from StartSSL?

Re:Inexpensive 3rd Party Solution (1)

berwiki (989827) | more than 3 years ago | (#34319354)

i guess i should start assuming all stupid posts are meant to be sarcastic?

to the overuse of whoosh!

Re:Inexpensive 3rd Party Solution (1)

yakatz (1176317) | more than 3 years ago | (#34318506)

I use StartSSL for tens of certificates on all manner of internet and intranet sites.
I had to install their root certificate on Windows 2000, but any computer that gets regular windows updates should have had it since last year.

They don't charge for certificates, they charge for work a person has to do: verifications.
Meaning, if they have to call you, it will cost, but you can get regular certificates for free.

Why are you clicking through that box every time? (3, Insightful)

jandrese (485) | more than 3 years ago | (#34318020)

Every browser has a way to store the security exceptions so that you don't get that warning every time. Just set the box up on a private network the first time to avoid a MitM attack and store the cert. If you ever get another warning about an untrusted cert from the box, then you might have a MitM attack going on, but otherwise if the cert matches you're fine.

You could also set up your own local root authority (most larger companies do this) and make your own certs.

Re:Why are you clicking through that box every tim (1)

KevMar (471257) | more than 3 years ago | (#34318714)

Check the name on the cert. if it is self signed, then you just have to deal with it. But if it is root signed, look at the site name. If you can find a way to use that site address to access the device then you will not get prompted.

My home router has a valid cert, but I would use the ip address and get prompted every time. I ended up making an entry in my host file for "linksys" at that address. Now when I go to https://linksys/ [linksys] everything is ok.

At the end of the day, remember the whole reason these devices use SSL is not so you can verify the connection. They use it to encrypt the connection. It is so much better to use SSL instead of plain text, even though the cert is not root signed.

Re:Why are you clicking through that box every tim (2)

jdew (644405) | more than 3 years ago | (#34318730)

HP lights out boards don't retain the self generated cert between power failures. So when power returns you get a different cert, and the exception now needs to be removed and readded.

Is free cheap enough? (5, Informative)

multipartmixed (163409) | more than 3 years ago | (#34318028)

Re:Is free cheap enough? (1)

bradgoodman (964302) | more than 3 years ago | (#34318936)

I do not see "startssl" listed in the list of built-in root certificates under Firefox.

Does this mean that if third-party users access my web site, they will be "stopped" with the typical warning that the site is secured with an unknown certificate - and make them go through the ususal steps to add it, etc?

Or will it just "work". Will they get the nice colored emblum on the address bar saying "Verified by: startssl", etc?

In otherwords - will it be any better, or more transparent to the user than they key I generated myself? Will it be automatically accepted by (let's say) an iPhone?

Re:Is free cheap enough? (0)

Anonymous Coward | more than 3 years ago | (#34319334)

The CA name for startssl is StartCom Ltd and its CA cert is installed in Firefox.

The "nice" coloured emblem is shown if you have an extented verifivation (EV) SSL certificate - these cost money. The basic startssl certificate appears free of charge.

So, no your users won't get a fancy green EV bar but they won't get the dire FF and Chrome SSL warning about non trusted CA.

Untrusted certs should not raise an alarm (0, Offtopic)

GameboyRMH (1153867) | more than 3 years ago | (#34318040)

Browsers should treat untrusted certs the same as unencrypted pages - they're at least as secure, possibly more secure than "trusted" certs.

Why does this always get marked troll? (2, Insightful)

Kupfernigk (1190345) | more than 3 years ago | (#34318354)

I've seen similar comments get marked troll before. Yet for many websites, the direction of trust is from them to you. If you want to log in to my website, which provides information, I store no personal information other than a user name and password. I have to trust you before giving you the information you want.

What we actually have here is a psychological issue - the cert vendors want you to believe that anyone who doesn't buy their certs is a potential criminal. The rule should simply be "no financial transactions or personal data on a site without an entrusted cert".

Other than common sense, there is nothing to stop me posting my credit card details on Slashdot. If I log into a public forum using HTTPS, I still have no protection against my own stupidity if I do that. Now, without simply modding this troll, can anybody give a coherent explanation as to why browsers shouldn't assess self-signed certs according to their origin - within the intranet, valid server name - rather than treating selfcert.ru the same as selfcert.10.0.0.1?

Re:Why does this always get marked troll? (1)

Eunuchswear (210685) | more than 3 years ago | (#34318988)

The rule should simply be "no financial transactions or personal data on a site without an entrusted cert".

But do you trust some random idiot who paid some money to Verisign?

Do Verisign promise to reimburse you if the person they sold a cert to turns out to be a crook?

Re:Untrusted certs should not raise an alarm (0)

Anonymous Coward | more than 3 years ago | (#34318368)

They're not any more secure than trusted certificates because they're still prone to a man-in-the-middle due to lack of authentication. So you'll send information encrypted to the man-in-the-middle who will do whatever they want with it.

Further, showing the padlock or any additional security information may instill a false sense of security in the user. "Oh, it's encrypted and safe!" as they send their login and password to paypal.com when someone has MitM'd the connection to PayPal.

Re:Untrusted certs should not raise an alarm (0)

Anonymous Coward | more than 3 years ago | (#34318422)

Sorry, try again. SSL is intended not just to secure the exchange of application-level bits, but also to validate that the destination site you entered is the one you reached. This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

Let's assume that browsers don't raise an alarm for untrusted certificates, as you propose. Let's further assume I can spoof ARP replies from your gateway, hijack your outbound connections to port 443, hijack your route to 1.2.3.0/24, or subvert your resolver functions for yourbank.com in any number of ways. Now, you go to https://yourbank.com/ [yourbank.com] and present your credentials. Guess what? I have them, and there's no warnings.

That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

Be thankful browser vendors have knowledgeable people to handle cryptography.

Re:Untrusted certs should not raise an alarm (4, Insightful)

Eunuchswear (210685) | more than 3 years ago | (#34319082)

This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

The only thing the "trusted authorites" confirm is that the person who has the cert paid for it.

Some trust.

The whole SSL certificate crap is a scam. The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

(The protocol should also have some reasonable way of doing rollover, like presenting a new certificate in the session "this is what we're going to be using starting...").

That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

But they don't authenticate the remote site. They just check that the remote site has a certificate signed by one of those super trustworthy people like Verisign or the government of China.

Re:Untrusted certs should not raise an alarm (0)

Anonymous Coward | more than 3 years ago | (#34318516)

When I go to an https page I want full security, I don't want to find out I'm browsing with a "half-padlock" icon without a warning. If you want half-security, it makes more sense to upgrade an http connection than to downgrade https, or maybe invent a 3rd prefix.

Re:Untrusted certs should not raise an alarm (1)

AusIV (950840) | more than 3 years ago | (#34318990)

There absolutely needs to be some kind of warning for untrusted certs. I can see an argument that the current solution is overkill (I disagree), but treating it the same as an HTTP page gives users no easy way to check whether or not they should trust the connection.

Now, I'm of the opinion that browsers handle untrusted certs as well as they can with current technology. Time and time again, end users have shown that they'll click through simple warning dialogs and send their data to phishers. When a server establishes an HTTPS connection with a client, it's telling the browser that this should be a secure communication, and sensitive data is going to be transmitted. If the browser can't validate that the connection is trusted, the user needs to know something is wrong.

Internal CA (1, Informative)

Anonymous Coward | more than 3 years ago | (#34318044)

If the machines are windows based and reside on a domain then Group Policies can push out these certs rather nicely.

Even non-windows machines - you can script the certificate update via logon script. I do this in my own domain I have setup for issue reproduction purposes.

It is rather simple.

Set up your own CA. (1)

SuperBanana (662181) | more than 3 years ago | (#34318066)

http://lmgtfy.com/?q=how+to+set+up+a+certificate+authority [lmgtfy.com] Then distribute the *organization's* cert to all the servers and clients. If you have a few clients or don't get many that fast, just do it by hand. If you have hundreds of computers or lots of turnover, you should be running central config management anyway. MIT for example distributes an MIT cert. Presto, everything on campus is protected. It's partially a question of tradeoffs: sign a cert by a CA already trusted for $$, or make your own CA and spend labor (your or users) dealing with adding the certs by hand. It's also a question of security of the CA. Perhaps some Slashdotters could share links to best practices for an internal CA.

No valid certificates, but a CA. (1)

jawtheshark (198669) | more than 3 years ago | (#34318072)

At home, I simply am my own CA, which really isn't all that hard. You just need to deploy the CA public certificate to the clients and you'll never get the warning. Now, depending on the "applicances" you might be able to replace the certificate with one you signed with your own CA, but I've never tried it.

New root certificate (0)

Anonymous Coward | more than 3 years ago | (#34318092)

Create a new root for your company, and then install it on all of your workstations by default. Then you can create as many valid SSL certificates as you want.

Working at a library.. (0)

Anonymous Coward | more than 3 years ago | (#34318166)

I would download the spreadsheet of my schedule every couple weeks or so. They didn't have their certificate up to date (i can't remember if it was self signed or just out of date, actually). For some strange reason, it appeared that the campus network I used in my dorm wouldn't allow me to download things from an https site that had a bad cert, though I could still browse around and such.

The cert issue never got fixed. I sent an email to IT, they said "Well, we ordered the cert, we just haven't gotten it yet.." My supervisor even brought it up during a meeting.. nothing happened.

Not quite so surprisingly, several months after I no longer worked there, my email account was still active. I waited around for a while to see if they'd get rid of it, and ended up sending a "thought you should know.. I gotz email" email to my supervisor, and they got rid of my account a week or so after.

Good solution. (1)

jaygatsby27 (894445) | more than 3 years ago | (#34318168)

Thats the best solution. It's not that complicated, either. Godaddy has cheaper serts as well, if that's not an option.

$400/year? (0)

Anonymous Coward | more than 3 years ago | (#34318196)

While I am sure some vendors will take $400/year, there are many which charge far less (and have their root in all the usual browsers). Paying more does not get you more. And if you have a lot of internal appliances, a wildcard cert for the appliances/organization may be the most cost effective (a cert for *.appliance.example.com which can be applied to all the devices)

Wildcard certificates. (0)

Anonymous Coward | more than 3 years ago | (#34318216)

If you want to avoid managing your own CA an alternative is to spend a few more bucks on your "real world" certificate and get a "wildcard certificate" valid for all hosts on your domain and use that internally (including proper dns if you don't already have that on your internal network). //fatal

Wait, this is an issue? (1)

dagard (14743) | more than 3 years ago | (#34318370)

We just use the same wildcard certificate that we use for our external sites. *.domain.com, works wonders.

Cheaper service. (1)

daid303 (843777) | more than 3 years ago | (#34318414)

Find a cheaper service. We payed something like 500 euros for a 5 year SSL certificate.

D'oh! Stupid Useless PKI (0)

Anonymous Coward | more than 3 years ago | (#34318446)

PKI is useless for any purpose other than protecting transmitted data from the eyes of technologically ignorant and unmotivated bystanders. It all rests on the trust of a third party, and there's no way to know if the third party is competent (usually not), or if the "trusted" host on the other end is a ruse. The host from which the user is initiating the connection is likely to be even *less* trustworthy, as is the user him/herself, since this person ultimately approves the trust of a certificate on the basis of zero knowledge of what is being approved or the consequences.

OpenSSL and Automated Deployment (0)

Anonymous Coward | more than 3 years ago | (#34318450)

> do you have valid SSL certificates on your intranet sites

Yes.

> if so what do you use?

OpenSSL

> don't involve manually distributing your certificates
> and CRL to every workstation in the company?

WDS, PXE, ZCM, etc. Your automated workstation deployment process should have been worked out before you began the intranet SSL certificate project. Go back and finish that part first. Everything after will be so much simpler.

Wildcard Cert (1)

Kagato (116051) | more than 3 years ago | (#34318510)

Go for a cheapie wildcard cert. That will cover all your intranet needs.

Re:Wildcard Cert (0)

Anonymous Coward | more than 3 years ago | (#34319160)

Go for a cheapie wildcard cert. That will cover all your intranet needs.

+1

Fortune 500

A private server? (1)

kimvette (919543) | more than 3 years ago | (#34318540)

For a private (e.g., not ecommerce, banking, etc.) web site, just create a certificate authority and use self-signed certificates, and send an email to the users covering the installation of private certs in MSIE, Firefox, Chrome and Safari. Don't waste your money on a versign cert because all it does is eliminate the warning for a price, whereas your users can eliminate it for free. Why add the tracking of additional "licensing" fees to your workload?

If it's public-facing then by all means buy the cert to ease support costs, but for employee use this is a deployment and documentation issue.

Wildcard Certificate Anyone? (0)

Anonymous Coward | more than 3 years ago | (#34318678)

We actually use an internal CA, and push our trusted certificates out via Active Directory group policies, but for the web interfaces we wanted to use an "official" certificate so that it would work for thinks like mobile phones, etc, without warnings, so we purchased a wildcard SSL certificate and use that same certificate for almost all of our "internal" SSL sites. We purchased a 10yr certificate from GoDaddy for right at $1000, so we figured 100/yr was pretty "price conscious". When we first purchase (about 3 years ago) the GoDaddy certificate had a few issues with some older browsers (wasn't trusted) but is a non-issue with all current browsers. You can always buy a wildcard from one of the more established issuers, but they're a lot more expensive (I think even GoDaddy is more expensive now, something like $800 for a 5 yr wildcard, but still pretty good).

Seriously? Do your own job. (5, Interesting)

spydum (828400) | more than 3 years ago | (#34318684)

Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

Re:Seriously? Do your own job. (3, Insightful)

rainer_d (115765) | more than 3 years ago | (#34319122)

That's the "I'm feeling lucky" google-fed generation.
If it's not on the first page in google results, go and ask in a forum.
Though, that's actually old-school, sort-of - people tend to ask in their twitter feed nowadays...

Re:Seriously? Do your own job. (2, Interesting)

Gothmolly (148874) | more than 3 years ago | (#34319156)

Its a new trend I think, fed by the chorus from management that "IT is easy" - so they find cheap talent who live by Googling answers. Nobody designs anything anymore.

Re:Seriously? Do your own job. (1)

Aggrav8d (683620) | more than 3 years ago | (#34319358)

Worse than crotchety.
You're chastising someone for using every method at their disposal to learn what they need to know, while telling them they need to go figure it out for themselves.
Your answer is akin to saying "I have enough time to answer you and yet I don't want to help you."
Do you advocate building your own car instead of taking public transit?

Besides! All those spoon-fed tools will need your $250/hr consultation expertise when things go wonky, right? More experts means less money in your pocket. You're poopooing a great opportunity, here.

$126/year wild card or 10$/yr individual certs (1)

almondo (145555) | more than 3 years ago | (#34318894)

I do deploy them but I do avoid getting robbed by Verisign for these and other certs by shopping around.

Currently I pay around $10 a year for individual host certs, and $126 a year for wildcards.
http://www.namecheap.com/learn/other-services/ssl-certificates.asp [namecheap.com]

If you have a large number of street facing certs the wildcard is the most cost effective solution anyway but for lower volumes I use individual certs as well.

It has some cost but the reduction in uninformed user headaches is well worth it.

Troll Tuesday hits Ask Slashdot! (3, Insightful)

peacefinder (469349) | more than 3 years ago | (#34319356)

Congratulations on getting your story accepted to the front page!

Dozens of man-hours will now be spent explaining basics of inhouse certificate authorities and self-signing, along with comments on your lack of basic research, intelligence, qualification for your position, and legitimate parentage.

Lose that constraint; it's holding you back (1)

Sloppy (14984) | more than 3 years ago | (#34319426)

..that don't involve manually distributing your certificates and CRL to every workstation in the company?

Here's where you went wrong. If you insist on keeping this constraint at any cost, then you have lost. Pay that cost (you don't get to have intranet sites) instead of getting what you want, and accept that you got the lesser of two "evils" (from a very perverted point of view).

The main problem with looking at it that way, is that you (or someone) already did what you claim you want to avoid. Those workstations don't just magically trust Verisign utterly and completely as an introducer while not trusting you a bit. They trust Verisign and not you, because web browsers got installed on them, with preferences configured to to that (and Verisign's business model is to count on people being lazy and keeping those settings). Go ahead and set up your company CA, then bite the bullet and tell all your workstations to believe it (instead of seeking to avoid this step) and get it over with.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...