× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2017

RE: DCM cert for Apache settings

This is why I run a CA for our Corp. We push the CA certificate as an Enterprise trust through Group Policies. By using this CA to generate any internal certificates, the certificate chain is trusted. If you hack my DNS and I go to ticket.crck.local and I get a certificate warning I know something is wrong.

I do not like to tell employees it is ok to trust self-signed certificates as then they will always click past the warning, possibly going somewhere they shouldn't.

One should configure a CA for their internal domains and use it to issue all internal application certificates. This CA certificate should be added to the CA trust or Enterprise trust on all of your internal PCs and servers.

But that is just my opinion.

--
Chris Bipes
Director of Information Services
CrossCheck, Inc.


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Rob Berendt
Sent: Thursday, March 09, 2017 7:15 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Re: DCM cert for Apache settings

Let's say amazon.com is normally 208.1.2.3

I hack your dns and it now thinks that amazon.com is 208.4.5.6.

We are NOT talking about redirects which take you from amazon.com to
fraud.com! Your URL still says amazon.com even though you are going to
the wrong IP address. And what user verifies the IP address? Now, if
your browser allows self signed certificates then I simply selfsign a new
certificate to amazon.com and put it on my fraudulent 208.4.5.6 site.
Then, as far as you know you are at the real amazon.com

Ok, internally. I know that if I go to corp.dekko.com it should be an
internal site. That should be safe, right? On there you enter a user and
password and look at your W2 information. So now I hack our DNS and point
it to an outside address with a selfsigned certificate and as far as you
know you're still using the internal site, right? Again, what user checks
the IP address? After all, the URL still says corp.dekko.com, right?
Again, we are NOT talking about redirects! This is why many sites do not
even allow them to work internally. Because you may say it's internal and
should be trusted. But that can easily be hacked.


Rob Berendt


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.