https:// Certificate Error: How Do We Eliminate It?
We are using Serco ePortal. We permit the staff to logon in school or at home. We have not paid for a certificate preferring to self certificate. I have added the ePortal URL we use into the trusted websites in Active Directory for the Staff OU. I have imported the certificate we created to authenticate the the ePortal pages.
Trouble is we still get the 'certificate error' message at the top of the page and the warning before the page loads about there being a problem with the certificate before the page fully loads [even logging on from within school]
Is there any way to eliminate this when logging on when staff are onsite, as staff are not registering when they see this warning being reluctant to continue past this stage.
Re: https:// Certificate Error: How Do We Eliminate It?
Only way i know is to get a versign certificate but they cost a arm and a leg :(
Ross
Re: https:// Certificate Error: How Do We Eliminate It?
We paid for our three certificates. They weren't Verisign and were therefore significantly cheaper.
I've seen http://certs.ipsca.com recommended as being free to education, but haven't tried it myself.
Re: https:// Certificate Error: How Do We Eliminate It?
There are much cheaper ways of doing this.
We had a similar problem at our work.
You need to have the certificate imported into "Trusted Root Certification Authorities". Once you have imported your certificate here, your problems should go away! :-). Import it anywhere else and the warning will keep appearing.
Re: https:// Certificate Error: How Do We Eliminate It?
This has been posted several times before elsewhere on this forum.
A single SSL Cert for a single url doesn't cost an arm and a leg, Go Daddy do them for $20 US
A full on wildcard *.yourdomain.com installed on your gateway/IIS/ISA will cost alot more $200 and if you run a commercial website with ebusiness you will probably want the underwritten insurance versions that can cost loads...
My concern over using self signed temporary ssl's as you have described is that by educating your "stupid" users to allow unsecured ssl certs to be installed into their home PC's is going to lead to all sorts of issues if one of them catches a cold! They will assume it's safe to do this for any site!
Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!
I would think very carefully before choosing between buying a $20 ssl and advising all of my users to import untrusted certificates!
If you have already done this and not covered your ass with a disclaimer or public advisory to your staff I would consider doing so.
We are supposed to be the "Professionals", Internet security is bad enough without stupid bonehead users being advised that it's fine to install untrusted certs!
Re: https:// Certificate Error: How Do We Eliminate It?
Quote:
Originally Posted by rrichmond
You need to have the certificate imported into "Trusted Root Certification Authorities". Once you have imported your certificate here, your problems should go away! :-).
Thanks for that. It has resolved the issue for our school database. However the Consortium database logon is still a problem [didn't mention that in the original post: Oops]
That aside Years 7 to 11 can now be registered without issue now. Thanks again.
Re: https:// Certificate Error: How Do We Eliminate It?
Quote:
Originally Posted by meastaugh1
We paid for our three certificates. They weren't Verisign and were therefore significantly cheaper.
I've seen
http://certs.ipsca.com recommended as being free to education, but haven't tried it myself.
Thanks for the link i have just put in a request for the certificate with that company. I was always under the impression verisign were the only people who could authorise them but turns out i was told wronge. Thanks all :)
Ross
Re: https:// Certificate Error: How Do We Eliminate It?
Quote:
Originally Posted by m25man
My concern over using self signed temporary ssl's as you have described is that by educating your "stupid" users to allow unsecured ssl certs to be installed into their home PC's is going to lead to all sorts of issues if one of them catches a cold! They will assume it's safe to do this for any site!
I agree completely but this is the position I have been put in partly because some of the servers involved here are outside my local domain.
Quote:
Originally Posted by m25man
Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!
They are told to accept the certificate ONLY when it comes from a request that they have initiated and it is from the school or the Consortium server. They know what they are expecting to see when they logon to the servers and should only accept the temporary certificates from these specific servers. Nevertheless the points you make are valid and accepted.
Re: https:// Certificate Error: How Do We Eliminate It?
Quote:
Originally Posted by m25man
Teaching all of your staff how to circumnavigate all of the ssl security features of their web browsers will surely put you squarely in the cross hairs when one of them has their bank account emptied and their ID stolen!
I would think very carefully before choosing between buying a $20 ssl and advising all of my users to import untrusted certificates!
If you have already done this and not covered your ass with a disclaimer or public advisory to your staff I would consider doing so.
We are supposed to be the "Professionals", Internet security is bad enough without stupid bonehead users being advised that it's fine to install untrusted certs!
We have over 500 Desktop machines at our site and one Technical support number. WHY should we be expected to support phone calls that are a direct result of Microsoft changing their web browser? (Because thats what happens!)
Use a real browser such as Firefox and bypass all this rubbish to start with!
I see nothing wrong with advising users they can trust our site certificate. Is is our certificate, we provide it to them via email, where is the security problem? Besides, I have yet to find this "$20" certificate you speak of. Why should I have to pay someone else, to say that our site is fine for people to use..... Thats the most rediculous thing I can think of!
For a bank or financial institution I can understand. But not for a web based email log on!!!
It all comes down to trust. If they believe they can trust us, then I see no problem. It is their choice.
Re: https:// Certificate Error: How Do We Eliminate It?
Quote:
Originally Posted by rrichmond
I see nothing wrong with advising users they can trust our site certificate. Is is our certificate, we provide it to them via email, where is the security problem? Besides, I have yet to find this "$20" certificate you speak of. Why should I have to pay someone else, to say that our site is fine for people to use..... Thats the most rediculous thing I can think of!
Here's your link, there's an Israeli SSL provider that will do the same for free but I lost the URL.
https://www.godaddy.com/gdshop/ssl/ssl.asp
You pay somebody else to hold your key for you and act as your trusted keyholder, so £10 for 2yrs is hardly extortion for a trusted service.
If you were using a trusted cert from a trusted provider you users wouldn'y have to do anything, you wouldn't have to "advise" them as to why their browsers were all popping security warnings and your helpdesk wouldn't be overun with support calls!
All for the sake of £10.
My point is that teaching people to ignore SSL warnings and install untrusted certificates is really bad advice and the more people that do it will inevitably result in the proliferation of SSL Browser exploits.
I agree that many SSL providers have been milking it for along time but this is now in decline and we do not have to compromise security for the sake of a tenner!
There are only 3 parts to an ssl verification,
The target URL/server/hostname
The Expiry Date
The Issuing Authority
The first two are easily manipulated.
If everybody issues their own, nobody would ever be able to trust an SSL site ever again!
Whilst tricking most browsers into accepting a self signed cert is easy enough, it's not always possible on the hundreds of embedded clients out there such as browser enabled phones and appliances.
