-----BEGIN PGP SIGNED MESSAGE-----
On 18/07/13 01:30, Nathan Andelin wrote:
The security certificate presented by this website was not issued
by a trusted certificate authority.
Yes - forgot to clearly mention this solution; this is useful for
externally accessed services but for internal ones this just costs a
lot of money without additional benefits compared to e.g. a local PKI
or just trusting this specific certificate.
Don't be overly concerned with the message. It's the default
behavior for browsers, and serves mostly as an annoyance. Solve
that by exporting the certificate that the HMC HTTP server is using
for Secure Socket Layer (SSL), and importing it into your browser's
local certificate store. Sorry, I don't have the steps for that,
but I hope it gets you heading in the right direction.
This mentioned link explains quite clearly how you can save the public
key (which is the one for verification purposes and is kept public)
onto your local Windows Certificate Store.
Clicking away the message each time has two main disadvantages: tools
such as BurpSuite, Acunetix WVS or Fiddler can easily "change" the SSL
certificate. This is used to eavesdrop onto the connection to the
server, and this kind of man-in-the-middle attack will be
prevented/warned for by your browser using the same message. (since
it's the same error: an untrusted certificate)
We observed that end-users "trained" for clicking away the message
tend to get conditioned to this behavior, and when using this set of
techniques on the corporate intranet portal a huge amount of users
were fooled from the test group.
That's why we recommend trusted SSL certificates over here to people
writing internal web apps/deploying devices|services on HTTPS, being
it from a trusted CA, or from the internal PKI. (with the added
advantage that there is no additional cost from a CA when using the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----