MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » July 2013

Re: HMC (hardware management console) web security certificate not trusted



fixed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 18/07/13 01:30, Nathan Andelin wrote:
The security certificate presented by this website was not issued
by a trusted certificate authority.

Yes - forgot to clearly mention this solution; this is useful for
externally accessed services but for internal ones this just costs a
lot of money without additional benefits compared to e.g. a local PKI
or just trusting this specific certificate.


Don't be overly concerned with the message. It's the default
behavior for browsers, and serves mostly as an annoyance. Solve
that by exporting the certificate that the HMC HTTP server is using
for Secure Socket Layer (SSL), and importing it into your browser's
local certificate store. Sorry, I don't have the steps for that,
but I hope it gets you heading in the right direction.

http://blogs.adobe.com/livecycle/2012/04/rights-management-how-to-get-windows-7-to-trust-a-self-signed-server-certificate.html

This mentioned link explains quite clearly how you can save the public
key (which is the one for verification purposes and is kept public)
onto your local Windows Certificate Store.

Clicking away the message each time has two main disadvantages: tools
such as BurpSuite, Acunetix WVS or Fiddler can easily "change" the SSL
certificate. This is used to eavesdrop onto the connection to the
server, and this kind of man-in-the-middle attack will be
prevented/warned for by your browser using the same message. (since
it's the same error: an untrusted certificate)

We observed that end-users "trained" for clicking away the message
tend to get conditioned to this behavior, and when using this set of
techniques on the corporate intranet portal a huge amount of users
were fooled from the test group.

That's why we recommend trusted SSL certificates over here to people
writing internal web apps/deploying devices|services on HTTPS, being
it from a trusted CA, or from the internal PKI. (with the added
advantage that there is no additional cost from a CA when using the
internal PKI)



-Nathan.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJR53M2AAoJEElyT3Tqk/McubgIAJPypf31SsXPVoOyPW8Be4PR
j36bX1RxxXyFlaY89xstLKTSXU5Jui/kOfpfXFHPqj9El7LqfKnYfXHWHKD6ZXNA
fCARpMoiSCzS8OglbCbJIG0X9UFFBg0mwSNe13cQeL63Wleiqx9yx5Vg3xv9n3J0
iQJR/bKaZBpL1UAWOx31LCOsttozrpbz4MZ8i9vwPjcgoUvdroGIJpsxDCFYaBAF
hDSddZmvDSlt8njaD+PQEIu8Y4DLSbyIgZhtJOuEEMcttdJKqr18GGTONEcOr/WM
H/P2izKzWo/g4yCLNFOCMXZWPpHPw+GO1Voz//fP950JNStzzGc8gILOPxWsGC0=
=Zcjy
-----END PGP SIGNATURE-----





Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact