Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Encryption Security

New SSL Server Rules Go Into Effect Nov. 1 92

Posted by Soulskill from the encrypt-your-calendars dept.
alphadogg writes: Public certificate authorities (CAs) are warning that as of Nov. 1 they will reject requests for internal SSL server certificates that don't conform to new internal domain naming and IP address conventions designed to safeguard networks. The concern is that SSL server digital certificates issued by CAs at present for internal corporate e-mail servers, Web servers and databases are not unique and can potentially be used in man-in-the-middle attacks involving the setup of rogue servers inside the targeted network, say representatives for the Certification Authority/Browser Forum (CA/B Forum), the industry group that sets security and operational guidelines for digital certificates. Members include the overwhelming bulk of public CAs around the globe, plus browser makers such as Microsoft and Apple. The problem today is that network managers often give their servers names like 'Server1' and allocate internal IP addresses so that SSL certificates issued for them through the public CAs are not necessarily globally unique, notes Trend Micro's Chris Bailey.
This discussion has been archived. No new comments can be posted.

New SSL Server Rules Go Into Effect Nov. 1 More

New SSL Server Rules Go Into Effect Nov. 1

Comments Filter:

  • Why? (Score:5, Insightful)

    by Ark42 ( 522144 ) <slashdot@@@morpheussoftware...net> on Friday July 25, 2014 @02:15PM (#47533231) Homepage

    Why are people using public CAs and purchased certificates for private networks?

    Wouldn't it make more sense to set up your own internal CA, or at least just force via policy certain certificates onto each computer's browser as trusted?

  • Why use public CA an internal server? (Score:5, Insightful)

    by Sloppy ( 14984 ) on Friday July 25, 2014 @02:18PM (#47533267) Homepage Journal

    Who are these people, that would give a damn about this change?

    You don't need an intermediary not-you authority for this job. And in fact, using one can only possibly decrease the security, in the best case scenario. Even the worst most incompetent company in the world, would make a better CA for its internal servers, than the best, most trustworthy public CA.

  • Re: Why? (Score:5, Insightful)

    by tysonedwards ( 969693 ) on Friday July 25, 2014 @02:29PM (#47533367)
    If all of those devices were centrally managed, sure. Let's say that instead you are a college, with dorms, and an internal network that those in the dorms can use with direct access to things like Mail and whatever, or a BYOD scenario where users are allowed to use their cell phones to get email and even be on wifi, but you want to respect your employees privacy on their private purchased devices rather than adding them to an MDM.

    Do you really want to bug those user's repeatedly with self signed cert validation prompts or just say "okay, $30 / year is worth avoiding the helpdesks"?

    In most cases, yes, a CA and group policies makes the most sense though and should be the answer. There are just a few fringe cases where it is easier to pay the few bucks than waste the time explaining why the user is in fact safe and just press okay.

  • Re:Why? (Score:5, Insightful)

    by El_Muerte_TDS ( 592157 ) on Friday July 25, 2014 @04:12PM (#47534237) Homepage

    Because of money.

Slashdot Top Deals

"Here's something to think about: How come you never see a headline like `Psychic Wins Lottery.'" -- Comedian Jay Leno

Close