regarding https

2 posts / 0 new
Last post
#1 Thu, 06/08/2006 - 09:54
AdamHolt

regarding https

Im trying out the Internet Explorer Beta 7

And it seems that Microsoft is really trying to warn people when a sites certificate is invalid. Now instead of the usual popup that you can answer yes to, they have a internal webpage display instead with the following information:

"There is a problem with this website's security certificate.

The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this website.
Click here to close this webpage.
Continue to this website (not recommended). For more information, see "Certificate Errors" in Internet Explorer Help."

I think this is really going to scare off people so Im wondering why use the https? I do realize that it's to secure the username and password when entered to gain access to the control panels, but what would be needed to be done so that the certificate doesn't create this warning from Internet Explorer 7?

I only have one IP address to work with and it's dynamic and I've never worked with secure certificates in the past.

Thanks,

Thu, 06/08/2006 - 12:13
Joe
Joe's picture

Hey Adam,

You'll need to buy a certificate from one of the certificate authorities supported by IE (e.g. from one that pays Microsoft for the privilege of not generating a warning). Installing such a certificate is covered in the FAQ.

You can, within your own organization, create your own certificate server and avoid this message on systems setup to accept those certificates...but you can't expect your customers to configure their browsers to know about your certificate server.

There's no workaround, I'm afraid, and even if you buy a certificate, it only applies to one domain (and possibly subdomains, if you get a wildcard certificate).

The reason this warning occurs is because certificates perform two functions:

1. The obvious encryption of data. This function protects passwords and such from prying eyes out on the big bad internets. An unequivically good thing.

2. Provide a guarantee that you are connecting to the site you think you are. This one is more subtle (and most folks don't even realize this is one of the functions of an SSL protected website), and less important to most folks. This function protects against man-in-the-middle attacks. In other words, if you pay attention to the warnings, it can protect against someone poisoning DNS and pointing your domain name to some other server somewhere that looks like yours but is really just there to collect login details. This one requires more work than just sniffing traffic on the part of attackers, but is also a real security threat.

In short, getting a real certificate is recommended, but not economically feasible for the majority of non-commercial (those that don't store sensitive data) websites.

You have options, of course...you can generate a custom certificate that does provide all of the information specific to your server (company name, etc.) and then train your customers in how to accept that certificate on first visit--this still doesn't really provide the end-to-end guarantee that a certificate from someone like GeoTrust or GoDaddy does on the first visit, but it does insure that if they hit your site correctly the first time (and tell their browser to learn the certificate) any future visits will be protected the same as if the certificate were a "real" certificate.

Clear as mud?

In short, you're making decisions about tradeoffs. The ideal situation is for all of us to have unlimited budgets, and we buy certificates for every domain every year, but I don't live there, and I'm guessing neither do you. ;-)

So, we're walking the security line as best we can. With a little extra effort on your part, you can go a couple of steps farther toward protecting your users and your server. With a little extra effort and a little extra cash, you can provide reasonable expectations of both good security and a guarantee of end-to-end communication free from tampering.

I'll point out that these problems apply to any secured communication. Mail servers, POP/IMAP servers, web servers like Apache, SSH, all have the problem of securing data and insuring an end-to-end connection. Most of them handle it with the same certificate mechanisms, and you can often use the same certificate (or a different format of the same certificate) for all of those purposes (except SSH). In other words, you can secure Webmin, Apache, Postfix, and Dovecot with the same certificate, assuming they all work on the same domain name.

Another option is to skip encryption altogether. I don't recommend this, but it won't generate any warnings.

Anyway, I hope this helps.

--

Check out the forum guidelines!