Blog | On the Web | About me
Daniele Vistalli @ BleedYellow

Search 

Getting social ?

Feeds 

rss entriesFeed RSS
comment rss entriesComments

Recent articles 

Recent comments 

Tag cloud 

Archives 

Blog roll 

Web security, using HTTPS/SSL in a smart and "economic" way 

Recently I've been working to secure the web systems I'm working with to finally release trough the internet some services I prepared.

Discussing about web applications on the internet I'm obviously referring to HTTPS/SSL security.
There's a number of systems involved but I can summerize in this way:

- Website (on Websphere 6.1)
- E-Commerce
- Portal
- Connections
- Quickr
- Sametime
- Other services built with domino/php/websphere

So I'm looking forward to HTTPS protect at least 7 hostnames (but in reality more) and here I find some issues.
I could use the great PKI (Public Key Infrastructure) available in Domino Server to genereate all my SSL Certificates or go buying certificates trough a "serious" provider as Verisign/Geotrust or others.

In both cases there are advantages and limitations to keep in mind:

Solution 1: Domino based using the Domino PKI

Advantages Limitations
  • Cost is 0, just the cost of setting up the domino CA service
  • I can create and manage as many certificates as I want
  • Certificates I create (or better, my root certificate) are not included in browsers. So I would need to have all my users installing my root certificat. It's possible but not easy, expecially if the user population changes a lot or the services has to be used by unknown users on the internet.
  • In an Intranet environment I could ask IT to deploy the root certificat to users using Group Policies but this assumes I've a windows domain, a smart administrator and still the certificate is povisioned to Internet Explorer only.



Solution 2: I by certificates from a security provider
Advantages Limitations
  • Browsers (IE, Firefox, Opera, Safari ...) alread knows the root certificats for these provider. There's nothing to do on the user side to enable acceptance of my site security
  • I browser contengono già le root certificate e non devo fare nulla dal punto di vista dell'utente per garantire la sicurezza
  • In many cases those providers offer a security seal you can place on your site to "SHOW" it's secured.
  • This kind of certificates COSTS A LOT, often some hundreds dollars/euros and this limits the number of hostnames you may want to protect. This "selectivenes" helps creating security holes (see later).
  • Every server has to be managed with a different certificate and I've to manage expiration for many different certificates.



So we've plenty of options, on on  side I could save money, get security but have to manage and explain to the user how to avoid security wanrings by trusting my certificates (this becomes really soon a nightmare and in some companies users are not even allowed to add certificates to their trust stores). On the other side I get all the simplifications but it costs more money.

Also it's important to understand that "real security" requires everything to be protected. It could be easier to protect only the main services but... If I allow "plain/unencrypted" authentication to a less important system I've just created a security hole, this means anybody listening on my "unsecured" login page could gain access to all the other services by stealing my password. This would simply make all my work useless.

Obviously we want a win-win situation, trusted certificates for any number of hostnames at a reasonable cost.

I looked into the topic and found out this solution Image:Web security, using HTTPS/SSL in a smart and "economic" way (maybe you already knew this, let me know your experience).

HTTPS certificates are identified by a DN (distinguished name) with a format that's similar to the following:

CN=hostname,OU=organization unit,O=organization,C=country

The hostname identifies the protected website (in fact if you access an https website that doesn't match it's certificate you get a warning message to notify something is not secure as it should be).

And here's the trick, in the DN we can use wildcards, for instance

CN=*.vistalli.it,OU=labs,O=vistalli.it,C=IT

With a certificate created in this way I'll be able to protect ANY hostname of the vistalli.it domain thus reducing the number of certificates I need to create or to buy.

Summarizing I'll be buyng wildcard certificates to protect ALL my servers doing authentication and getting all the advantages:
  • Limited cost (for instance a widlcard certificate costs $ 199 per year  on rapidSSL , an expense you can definitely afford).
  • Maximum flexybility, with a single certificate I protect any number of hosts and any kind of server like domino / apache / IHS / websphere / LDAPS etc.
  • Maxiumun simplicity for users, certificates are trusted and I don't need to go over to any users and install my root certificate.

This said... good securing to everybody... do it before it's too late.

Ciao,
Daniele



Comments (0)
Daniele Vistalli March 9th, 2008 08:56:18