+ Post New Thread
Results 1 to 10 of 10
How do you do....it? Thread, https:// Certificate Error: How Do We Eliminate It? in Technical; We are using Serco ePortal. We permit the staff to logon in school or at home. We have not paid ...
  1. #1

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,711
    Thank Post
    351
    Thanked 1,268 Times in 866 Posts
    Blog Entries
    4
    Rep Power
    1124

    https:// Certificate Error: How Do We Eliminate It?

    We are using Serco ePortal. We permit the staff to logon in school or at home. We have not paid for a certificate preferring to self certificate. I have added the ePortal URL we use into the trusted websites in Active Directory for the Staff OU. I have imported the certificate we created to authenticate the the ePortal pages.

    Trouble is we still get the 'certificate error' message at the top of the page and the warning before the page loads about there being a problem with the certificate before the page fully loads [even logging on from within school]

    Is there any way to eliminate this when logging on when staff are onsite, as staff are not registering when they see this warning being reluctant to continue past this stage.

  2. #2
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33

    Re: https:// Certificate Error: How Do We Eliminate It?

    Only way i know is to get a versign certificate but they cost a arm and a leg

    Ross

  3. #3
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    889
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: https:// Certificate Error: How Do We Eliminate It?

    We paid for our three certificates. They weren't Verisign and were therefore significantly cheaper.

    I've seen http://certs.ipsca.com recommended as being free to education, but haven't tried it myself.

  4. #4
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: https:// Certificate Error: How Do We Eliminate It?

    There are much cheaper ways of doing this.

    We had a similar problem at our work.

    You need to have the certificate imported into "Trusted Root Certification Authorities". Once you have imported your certificate here, your problems should go away! :-). Import it anywhere else and the warning will keep appearing.

  5. #5

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,618
    Thank Post
    49
    Thanked 448 Times in 331 Posts
    Rep Power
    136

    Re: https:// Certificate Error: How Do We Eliminate It?

    This has been posted several times before elsewhere on this forum.

    A single SSL Cert for a single url doesn't cost an arm and a leg, Go Daddy do them for $20 US

    A full on wildcard *.yourdomain.com installed on your gateway/IIS/ISA will cost alot more $200 and if you run a commercial website with ebusiness you will probably want the underwritten insurance versions that can cost loads...

    My concern over using self signed temporary ssl's as you have described is that by educating your "stupid" users to allow unsecured ssl certs to be installed into their home PC's is going to lead to all sorts of issues if one of them catches a cold! They will assume it's safe to do this for any site!

    Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!

    I would think very carefully before choosing between buying a $20 ssl and advising all of my users to import untrusted certificates!
    If you have already done this and not covered your ass with a disclaimer or public advisory to your staff I would consider doing so.

    We are supposed to be the "Professionals", Internet security is bad enough without stupid bonehead users being advised that it's fine to install untrusted certs!

  6. #6

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,711
    Thank Post
    351
    Thanked 1,268 Times in 866 Posts
    Blog Entries
    4
    Rep Power
    1124

    Re: https:// Certificate Error: How Do We Eliminate It?

    Quote Originally Posted by rrichmond
    You need to have the certificate imported into "Trusted Root Certification Authorities". Once you have imported your certificate here, your problems should go away! :-).
    Thanks for that. It has resolved the issue for our school database. However the Consortium database logon is still a problem [didn't mention that in the original post: Oops]

    That aside Years 7 to 11 can now be registered without issue now. Thanks again.

  7. #7
    Rozzer's Avatar
    Join Date
    Aug 2005
    Location
    South West
    Posts
    720
    Thank Post
    21
    Thanked 81 Times in 61 Posts
    Rep Power
    33

    Re: https:// Certificate Error: How Do We Eliminate It?

    Quote Originally Posted by meastaugh1
    We paid for our three certificates. They weren't Verisign and were therefore significantly cheaper.

    I've seen http://certs.ipsca.com recommended as being free to education, but haven't tried it myself.
    Thanks for the link i have just put in a request for the certificate with that company. I was always under the impression verisign were the only people who could authorise them but turns out i was told wronge. Thanks all

    Ross

  8. #8

    DaveP's Avatar
    Join Date
    Oct 2006
    Location
    Can't talk now: The mother-ship is calling!
    Posts
    8,711
    Thank Post
    351
    Thanked 1,268 Times in 866 Posts
    Blog Entries
    4
    Rep Power
    1124

    Re: https:// Certificate Error: How Do We Eliminate It?

    Quote Originally Posted by m25man
    My concern over using self signed temporary ssl's as you have described is that by educating your "stupid" users to allow unsecured ssl certs to be installed into their home PC's is going to lead to all sorts of issues if one of them catches a cold! They will assume it's safe to do this for any site!
    I agree completely but this is the position I have been put in partly because some of the servers involved here are outside my local domain.

    Quote Originally Posted by m25man
    Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!
    They are told to accept the certificate ONLY when it comes from a request that they have initiated and it is from the school or the Consortium server. They know what they are expecting to see when they logon to the servers and should only accept the temporary certificates from these specific servers. Nevertheless the points you make are valid and accepted.

  9. #9
    rrichmond's Avatar
    Join Date
    Jul 2007
    Location
    Brisbane
    Posts
    108
    Thank Post
    3
    Thanked 7 Times in 7 Posts
    Rep Power
    16

    Re: https:// Certificate Error: How Do We Eliminate It?

    Quote Originally Posted by m25man
    Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!

    I would think very carefully before choosing between buying a $20 ssl and advising all of my users to import untrusted certificates!
    If you have already done this and not covered your ass with a disclaimer or public advisory to your staff I would consider doing so.

    We are supposed to be the "Professionals", Internet security is bad enough without stupid bonehead users being advised that it's fine to install untrusted certs!
    We have over 500 Desktop machines at our site and one Technical support number. WHY should we be expected to support phone calls that are a direct result of Microsoft changing their web browser? (Because thats what happens!)

    Use a real browser such as Firefox and bypass all this rubbish to start with!

    I see nothing wrong with advising users they can trust our site certificate. Is is our certificate, we provide it to them via email, where is the security problem? Besides, I have yet to find this "$20" certificate you speak of. Why should I have to pay someone else, to say that our site is fine for people to use..... Thats the most rediculous thing I can think of!

    For a bank or financial institution I can understand. But not for a web based email log on!!!

    It all comes down to trust. If they believe they can trust us, then I see no problem. It is their choice.

  10. #10

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,618
    Thank Post
    49
    Thanked 448 Times in 331 Posts
    Rep Power
    136

    Re: https:// Certificate Error: How Do We Eliminate It?

    Quote Originally Posted by rrichmond
    I see nothing wrong with advising users they can trust our site certificate. Is is our certificate, we provide it to them via email, where is the security problem? Besides, I have yet to find this "$20" certificate you speak of. Why should I have to pay someone else, to say that our site is fine for people to use..... Thats the most rediculous thing I can think of!
    Here's your link, there's an Israeli SSL provider that will do the same for free but I lost the URL.
    https://www.godaddy.com/gdshop/ssl/ssl.asp

    You pay somebody else to hold your key for you and act as your trusted keyholder, so £10 for 2yrs is hardly extortion for a trusted service.

    If you were using a trusted cert from a trusted provider you users wouldn'y have to do anything, you wouldn't have to "advise" them as to why their browsers were all popping security warnings and your helpdesk wouldn't be overun with support calls!
    All for the sake of £10.

    My point is that teaching people to ignore SSL warnings and install untrusted certificates is really bad advice and the more people that do it will inevitably result in the proliferation of SSL Browser exploits.

    I agree that many SSL providers have been milking it for along time but this is now in decline and we do not have to compromise security for the sake of a tenner!

    There are only 3 parts to an ssl verification,
    The target URL/server/hostname
    The Expiry Date
    The Issuing Authority

    The first two are easily manipulated.
    If everybody issues their own, nobody would ever be able to trust an SSL site ever again!

    Whilst tricking most browsers into accepting a self signed cert is easy enough, it's not always possible on the hundreds of embedded clients out there such as browser enabled phones and appliances.

SHARE:
+ Post New Thread

Similar Threads

  1. Web certificate
    By edie209 in forum Web Development
    Replies: 15
    Last Post: 16th May 2008, 10:17 AM
  2. Affordable SSL certificate
    By meastaugh1 in forum Recommended Suppliers
    Replies: 6
    Last Post: 17th December 2006, 04:27 PM
  3. IE6 https problem
    By Spongor in forum Windows
    Replies: 7
    Last Post: 2nd November 2006, 09:25 AM
  4. Certificate Authority
    By plexer in forum *nix
    Replies: 9
    Last Post: 15th October 2006, 12:57 AM
  5. How to get a wireless network certificate onto a HP PDA
    By woody in forum Wireless Networks
    Replies: 4
    Last Post: 10th October 2006, 01:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •