Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SSL Server Rules Go Into Effect Nov. 1

Posted by Soulskill on from the encrypt-your-calendars dept.

alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.

4 of 92 comments (clear)

  1. Why? by Ark42 · · Score: 5, Insightful

    Why are people using public CAs and purchased certificates for private networks?

    Wouldn't it make more sense to set up your own internal CA, or at least just force via policy certain certificates onto each computer's browser as trusted?

    --
    Morphing Software
    1. Re: Why? by tysonedwards · · Score: 4, Insightful

      If all of those devices were centrally managed, sure. Let's say that instead you are a college, with dorms, and an internal network that those in the dorms can use with direct access to things like Mail and whatever, or a BYOD scenario where users are allowed to use their cell phones to get email and even be on wifi, but you want to respect your employees privacy on their private purchased devices rather than adding them to an MDM.

      Do you really want to bug those user's repeatedly with self signed cert validation prompts or just say "okay, $30 / year is worth avoiding the helpdesks"?

      In most cases, yes, a CA and group policies makes the most sense though and should be the answer. There are just a few fringe cases where it is easier to pay the few bucks than waste the time explaining why the user is in fact safe and just press okay.

      --
      Thirty four characters live here.
    2. Re:Why? by El_Muerte_TDS · · Score: 4, Insightful

      Because of money.

  2. Why use public CA an internal server? by Sloppy · · Score: 4, Insightful

    Who are these people, that would give a damn about this change?

    You don't need an intermediary not-you authority for this job. And in fact, using one can only possibly decrease the security, in the best case scenario. Even the worst most incompetent company in the world, would make a better CA for its internal servers, than the best, most trustworthy public CA.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.