Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

4 of 286 comments (clear)

  1. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Insightful

    Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

  2. Re:Private Certificate Authority by pla · · Score: 4, Insightful

    Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

    FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

    Before snarking on the FP author, perhaps you should actually read the FP's question?

  3. Re:Private Certificate Authority by Yaa+101 · · Score: 5, Insightful

    Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

    The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

    I do not know any other way to do this automatically.

  4. Re:Untrusted certs should not raise an alarm by Eunuchswear · · Score: 4, Insightful

    This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

    The only thing the "trusted authorites" confirm is that the person who has the cert paid for it.

    Some trust.

    The whole SSL certificate crap is a scam. The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

    (The protocol should also have some reasonable way of doing rollover, like presenting a new certificate in the session "this is what we're going to be using starting...").

    That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

    But they don't authenticate the remote site. They just check that the remote site has a certificate signed by one of those super trustworthy people like Verisign or the government of China.

    --
    Watch this Heartland Institute video