[Gllug] Couple of questions about HTTPS
Richard Jones
rich at annexia.org
Thu Nov 18 13:40:31 UTC 2004
On Thu, Nov 18, 2004 at 12:32:09PM +0000, Tethys wrote:
> Simple answer: no. Certificates simply exist to assure the end user
> that the site to which the they're sending their data is the one it
> claims to be. That means the site name in DNS has to match the site
> name on the certificate, hence you need one per site.
>
> You can, as others have mentioned, self sign your certificate. That
> will trigger a warning in the browser, but that may be acceptable,
> depending on the site. If you control the client machine, you can
[...]
OK, thanks - pretty much as I thought.
Some background on this - we want to offer "secure" logins (not really
secure, hence the quotes), and secure intranets. At the moment when a
customer has a Team Notepad intranet for instance they access it in
the clear over HTTP.
The "secure" login part means that your username and password doesn't
go over the internet in the clear. Of course the added security is
marginal because the authentication cookie is later sent in the clear,
as are the pages themselves. I can do this with a single "login"
server, with a single certificate, which redirects back to the real
site with some cookie magic.
The (actually) secure intranet offering would send everything over
HTTPS. Authentication using a certificate is useful to avoid a
man-in-the-middle (MITM) attack, but the reality is that if someone
can mount a MITM attack, then they can do much worse things with much
less effort. For example, off the top of my head, they could direct
our customers to a site which contained the latest IE JPG/JS/ActiveX
exploit-du-jour.
It looks like this is something we should charge lots of money for.
Rich.
--
Richard Jones. http://www.annexia.org/ http://www.j-london.com/
>>> http://www.team-notepad.com/ - collaboration tools for teams <<<
Merjis Ltd. http://www.merjis.com/ - improving website return on investment
http://winwinsales.co.uk/ - CRM consultancy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20041118/39822e52/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list