Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Certificates For Intranet Sites?

Posted by kdawson on from the matter-of-trust dept.

wiedzmin writes "Anybody who has worked around anything dubbed an 'appliance' in the past few years knows that they come with a management Web interface, which is usually 'secure.' However, no company in their right (accounting) mind will spend $400/year per appliance to buy Verisign SSL certificates to secure Web interfaces on networks that may not even be open to the public Internet. So network administrators, and sometimes end users, are stuck clicking away at an annoying 'Continue to this website (not recommended)' message every time they connect, setting an unhealthy precedent when it comes to the actual security of SSL and the much-hyped MITM attacks. So the question I have for the Slashdot crowd is: do you have valid SSL certificates on your intranet sites, and if so what do you use? Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

20 of 286 comments (clear)

  1. Private Certificate Authority by LostOne · · Score: 5, Informative

    Why not set up a private certificate authority? Then you can manufacture as many SSL certificates as you need for private use and all you need to do is distribute the certificate authority's certificate to each browser once for the entire enterprise. Every browser out there has a way to add additional trusted certificate authorities. Indeed, if you have a "centrally controlled" provisioning system, you can even add the certificate to your default system build. Then the scary warnings go away completely.

    --

    If it works in theory, try something else in practice.
    1. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Insightful

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

    2. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Funny

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      Damn, over in two posts.

    3. Re:Private Certificate Authority by pla · · Score: 4, Insightful

      Because your question implies that the asker is actually competent at their job. Anyone with half a brain would have already come up with that solution a long time ago.

      FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks."

      Before snarking on the FP author, perhaps you should actually read the FP's question?

    4. Re:Private Certificate Authority by MeanMF · · Score: 4, Informative

      Yeah AD group policy can do this very easily, no scripts required. http://technet.microsoft.com/en-us/library/cc772491.aspx

    5. Re:Private Certificate Authority by Trevelyan · · Score: 5, Informative
      10secs of googling gave me this:
    6. Re:Private Certificate Authority by Yaa+101 · · Score: 5, Insightful

      Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

      The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

      I do not know any other way to do this automatically.

    7. Re:Private Certificate Authority by Shawn+is+an+Asshole · · Score: 4, Informative

      TinyCA2 is rather easy to use.

      --
      "It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
    8. Re:Private Certificate Authority by Xonstantine · · Score: 5, Informative

      If you are using Windows on a network controlled by a DC, you can push the CA trust out through group policy...

    9. Re:Private Certificate Authority by BagOBones · · Score: 3, Informative

      You don't even need group policy... once you install a Windows CA in Enterprise mode its automatic, the chain will be distributed and trusted via active directory.

      --
      EA David Gardner -"... but the consumers have proven that actually what they want is fun."
    10. Re:Private Certificate Authority by Anonymous Coward · · Score: 5, Informative

      Windows AD policies can do that for you. That's how we do it over here. (at least, if you use IE)

      For those who don't like using IE, you can also distribute Firefox settings via group policies by using FrontMotion.

    11. Re:Private Certificate Authority by TheLink · · Score: 3, Interesting

      Sorry, but every certificate authority is manually distributed at some point, the verizon's of this planet included, they just have the convenience that browser manufacturers do that for them.

      And there's the big difference.

      The most automatic way to do what the main requester wants is to set up that certificate authority and roll out your browsers automatically after adding that certificate authority it's root to that browser.

      No, the way to do what the main requester wants is to get a free cert whose CA is recognized by most popular browsers. You can get some from: http://www.startssl.com/
      Their "product" comparison: http://www.startssl.com/?app=40

      You might be able to get free certs from elsewhere.

      Apparently some sites sell rapidssl wildcard certs for cheap. I can't remember which ones. Can't find them via Rapidssl's own website for some reason ;).

      You have to understand the truth of the matter. Most people dealing with https don't really care that much about security. All they want is not to have those scary browser warnings.

      If they really cared about security they would realize that most popular browsers by default do not warn you if a site's CA has changed, or a server cert has changed rather prematurely (I use certificate patrol for that). And that as long as this remains true, all the talk about https security is just talk.

      So people should just solve the submitters problem, and implying he's incompetent or even calling him incompetent. Because how many of you are relying on https to keep stuff safe and have CA certs in your browser from CA's you do not trust?

      FWIW how many of you really trust Verisign? Stick your hand up if you're that incompetent ( http://en.wikipedia.org/wiki/Verisign#Controversies ). Guess who signs zillions of certs though, and what happens if you don't tell the browser to trust Verisign's certs. Guess who signed a fake Microsoft's cert? http://www.cert.org/advisories/CA-2001-04.html

      So just accept that those certs are mainly to make people feel safe and make the browser warnings go away.

      --
  2. Inexpensive 3rd Party Solution by schi0244 · · Score: 4, Informative

    https://www.startssl.com/
    An Israeli company with inexpensive SSL (and other certs). I would also point out the prices they have for Extended Validation SSL certs.

  3. Why are you clicking through that box every time? by jandrese · · Score: 3, Insightful

    Every browser has a way to store the security exceptions so that you don't get that warning every time. Just set the box up on a private network the first time to avoid a MitM attack and store the cert. If you ever get another warning about an untrusted cert from the box, then you might have a MitM attack going on, but otherwise if the cert matches you're fine.

    You could also set up your own local root authority (most larger companies do this) and make your own certs.

    --

    I read the internet for the articles.
  4. Is free cheap enough? by multipartmixed · · Score: 5, Informative

    http://startssl.com/

    --

    Do daemons dream of electric sleep()?
  5. Are you seriously that dense? by apparently · · Score: 3, Insightful

    FTFP: "Any cost-neutral, or at least cost-conscious solutions out there that don't involve manually distributing your certificates and CRL to every workstation in the company? Thanks." Before snarking on the FP author, perhaps you should actually read the FP's question?

    So a login script (or in a Microsoft environment, an AD group policy) that distributes the certificate automatically to each computer meets your definition of "manual distribution?"
    Really? That's what you're saying? "Automatic" and "manual" are synonyms in your universe? wow.

  6. Seriously? Do your own job. by spydum · · Score: 5, Interesting

    Judging by plenty of the comments in threads similar to this, I think most of us are tired of seeing Ask Slashdot posts on how to do his or her job. Had this been really cutting edge, or new grounds, I could understand. However.. Enterprise PKI? Seriously? If this is to be the continuing trend of Ask Slashdot, I need to adjust my filters.. because that is just sad.

    I'm finding more and more IT folks are standing around waiting to be spoon-fed solutions, instead of trying to research and educate themselves on what is already out there. It worries me that this is not just the trend in IT, but across all occupations. Am I just getting old and crotchety, or is this a new trend?

    1. Re:Seriously? Do your own job. by rainer_d · · Score: 3, Insightful

      That's the "I'm feeling lucky" google-fed generation.
      If it's not on the first page in google results, go and ask in a forum.
      Though, that's actually old-school, sort-of - people tend to ask in their twitter feed nowadays...

      --
      Windows 2000 - from the guys who brought us edlin
  7. Re:Untrusted certs should not raise an alarm by Eunuchswear · · Score: 4, Insightful

    This is done by having the server present a certificate, which the client can then verify was signed by one of many trusted authorities.

    The only thing the "trusted authorites" confirm is that the person who has the cert paid for it.

    Some trust.

    The whole SSL certificate crap is a scam. The only interesting thing to know would be "is this site using the same certificate as the last time I connected to it". And the shitty browsers don't tell you that.

    (The protocol should also have some reasonable way of doing rollover, like presenting a new certificate in the session "this is what we're going to be using starting...").

    That is why SSL authenticates the remote site. Encrypting the transport prevents eavesdropping, while authenticating the remote site prevents man-in-the-middle attacks. You need both to have any degree of security.

    But they don't authenticate the remote site. They just check that the remote site has a certificate signed by one of those super trustworthy people like Verisign or the government of China.

    --
    Watch this Heartland Institute video
  8. Troll Tuesday hits Ask Slashdot! by peacefinder · · Score: 3, Insightful

    Congratulations on getting your story accepted to the front page!

    Dozens of man-hours will now be spent explaining basics of inhouse certificate authorities and self-signing, along with comments on your lack of basic research, intelligence, qualification for your position, and legitimate parentage.

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd