Easy SSL-HTTP Question 1

[kgoods]

I’m a little embarrassed to even ask this question but…

I have been a network admin for about 5 years. I have always had multiple websites with limited IP addresses and as such have always needed to use host headers. I realize that host headers and SSL do not get along and understand why. So I reserved an IP address, assigned a certificate, and gave it a generic domain name and use it jointly between all other domains which need SSL pages. But now I need to put a site together on it’s own individual IP address. Can I assign a certificate to this address and get away with using SSL and HTTP on this same address. Seems like a no-brainer “yes” but I’ve never had this experience and wanted to make sure before I generate the certificate.

In other words I have one IP address x.x.x.10 and I want to access both

http://www.somedomain.com

and

https://www.somedomain.com

on this address. Can it be done?

Thanks in advance.

Ken

 

[mlowe9]

I thought it was easy too, but cannot figure it out for the life of me. Please let me know too, if you figure it out on your own, because I'm dying to get it to work.

 

[skotman]

If someone can tell me how to create a SSL cert without going through some company and paying through the nose (I have no need for a cert right now) It will be the first thing done on my newly built win2k web box this week.


Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[mlowe9]

1. You can go to

http://www.thawte.com

and get a demo certificate free for 21 days.
2. I think I've got it as good as we can get it. You have two web sites. One with a certificate, one without. You have to create another IP address (in Network Neighborhood properties), and then you have to associate each web site to a different IP address. This works.

 

[Score1000]

hi;

first you can simply instal Certificate Services on one of your 2k machines and use it az your own internal CA(cert. Authority) to issue as much as certificates (of any type, web server, digital signature..) you need. after installation it will be accessible throught IE:
machinename\certsrv.

second if you do not check mark "require secure communication" on your website which is not selected by default, you can access the same domain both with http:// and https:// by typing either one at the beginning of the address.
hope it helps

 

[kgoods]

Score1000,

Thanks a bunch, that is exactly what I was looking for. What I did in the meantime was to generate a self-signed cert using Cygwin the linux on windows emulator, (we're running NT 4.0 and do not have certificate services running). I wanted to play with it before generating the "real" cert. Then I applied it to my IP, then, since I thought you had to check "require secure communication" to get it to work, I did that on a subdirectory that only had the secure pages in it. This works but your solution is much easier in that you can mix secure and non-secure pages in the same directory at will.

BTW, for cheap certs @ $25 a pop go to

http://www.rackshack.net

(a Geotrust certificate). I have no affiliation with these guys, just got tired of paying $350 a year for a 40 bit when I can get 128 bit ones here for $25. Plus with verisign's latest move adding the wildcards to the .com and .net main domains I thought why continue lining their pockets? The only caveat is that they only work with IE browsers above V5.01 and netscape above V4.51. They say this is 90% of the browsers on the web. After looking at my logs I find in practice it's about 99.5% of our users. Anyone else can either access those pages non-securely or upgrade thier browser.

Again, thanks so much,

Regards,
Ken

 

[Score1000]

You're welcome;

take a look at these pages, consider having a back up from the certifcates you are to issue for your organization (if they are serious), it will save you time and effort.
Score

http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp

http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp

http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

 

[kgoods]

Score1000,

I do back up my certs both here and off site. I do realize how important they are.

I picked one up from rackshack.com (now Ev1servers.net) and while the $25 one does not have the linked image to verify the cert, if you double click on the padlock it shows the cert being valid and issued by Equifax (Geotrust). This is fine for our purposes and keeps the warning from popping up while accessing SSL pages. It also saves a bunch of money. From my conversations with everyday users, I don't think the typical user really understands the whole security certificate thing anyway. I really am beginning to question why we have been spending $350 a year on several certs. If the linked image is important they also have one for ~$150 that includes the link to their verification servers. The only way I'd consider that is if this were a enterprise going after an unlimited market. But we're not, we market to specific people who in most cases have already heard of us.

Hey, it's cheap and works for us!

Thanks again,
Ken

 

[Score1000]

I've heard about Rackshack too, but I'm amazed if there are such 128 bit certs available for almost nothing, how the companies like Verisign can persuade people to spend 600-700 bucks for a server certificate?
of course a Verisign Security Site Seal can be very eyecatching at the top of any website!
are they really the same in the cryptographical infrastructure? We should get 2 server certs for our websites in the near future but I'm not convinced that a 25$ thing can work like a 700$ one! am I wrong?

 

[kgoods]

They work exactly the same from a technical standpoint! Amazed me too!

Security certificates.... what I knew:
1. Created using public/private keypairs (like PGP) between you and a "Trusted Root Certification Authority".
2. Applied to an IP address and bound to the domain name via the public key you send them which is encoded in the cert they send you.
3. The "Trusted Root Certification Authority" information is also included in the cert you receive from them.
3. Function, to encrypt communications to and from the client browser including server validation (session can not be hijacked because the certificate insures you are still talking to the same server).

What I didn't know until recently:
I thought there were a few (3-5) Trusted Root Certification Authorities. Turns out there are several. What makes an entity a "Trusted Root Certification Authority"? Paying $ to Microsoft and/or Netscape to have their Trusted Root Certification Authority information included in the shipped browser. This is what keeps the certificate warning box from displaying when accessing a SSL page that has a cert from one of these entities. I was surprised how many entities I have selected to "implicitly trust". If you're using IE, go to Tools->Internet Options...->Content (tab) ->Certificates (button)->Trusted Root Certification Authority (tab). Wow! We sure do trust a lot of people by default, don't we? So... a certificate issued by any of these entities will insure secure communications and prevent the warning from coming up. For that matter, if you had a captive audience for your site, i.e. you're an insurance company with a national sales force of agents who need secure access to a non-public area of your site, you could generate your own certificate and instruct the agents to add your cert to the Trusted Root Certification Authorities on their browser when the certificate warning came up. They would then have the exact same protection and not receive any further certificate warnings! Slick huh? You just saved your company $350-$700, not bad for a few minutes work.

Now the non-technical differences.
For the most part, it is how the issuing authority verifies you are who you say you are that differs. Verisign, who I used in the past, had us fax them our articles of incorporation along with signatures of company officers, etc. This is so they have a degree of certainty that we are who we say we are and that we have the right to do business on our domain. In return for our $350 per year (40-bit key), this is what we get along with a “Verisign seal” to post on our website that links back to their server with some information that our certificate is valid and issued to us. All well and good so long as someone actually clicks on it! Out of 20,000+ visitors to one site I manage, we’ve had three clicks on the seal (and I think two of those were me testing it! ). Does the Verisign seal give our customers a "warm and fuzzy feeling"? Maybe. But my thoughts are that most people don’t even notice it. They may think it’s just another ad-link. In any case, if the "seal" is deemed important, one can be had from Geotrust for $150 (I think). Does the same exact thing. And they do more company verification (similar to Verisign) than with the $25 one which does not include any seal and little company verification. The process of getting the $25 cert is, apply online, pay with CC, answer a couple questions via an automated phone call from them, wait for an email (only sent to specific addresses within the domain or to contacts in the DNS record), click on a link in the email to authorize the cert. The cert is then emailed to the administrative contact and can be applied at will. This, along with a obvious Security Policy explaining the use of SSL, is the route I chose.

I guess the point I’m trying to make is that I don’t think the typical user understands the whole process enough to make purchase decisions based on the type of cert used. I have yet to hear anyone say "If there isn’t a Verisign seal on the page, I’m not going to enter my CC# or personal information." I do agree that sensitive information should be protected within a SSL session, but from the technical standpoint, a self-issued cert would be more than sufficient. The problem is the cert warning box which states that, while the cert is valid, it is not issued from a trusted source. (Only because we didn’t pay M$ and NC tons of money to have our certificate included in the browsers). So I choose to eliminate the real problem the most cost effective way possible, pay $25 to rackshack.net to get rid of the warning and educate the customers the best I can. I’ve always been of the mind that you build trust by successful transactions and giving the customer more than they expect, rather than by paying money to someone to vouch for you. After all, Verisign doesn't concern themselves with customer complaints of poor business practices regarding a company they have "verified" or threaten to revoke their certificate. At least not as long as they are getting their annual booty.

To see one of the $25 certs in action go to: (email me privately at kgoods@aia%insur1ance%.com) (remove the %’s and 1) if you want the link.

Double-click on the padlock in the lower right bottom of your browser. (This is a new site and is not live yet, I just started on it last Monday but it’s pretty much there.)

You will notice that the only intention of this cert is to Guarantee the identity of the remote computer. The $150 Geotrust cert and Verisign’s certs, have more information stating the company who the cert is issued to. But that information is available if you click on the details tab and select the subject. In the lower box you see the business registration link. If you copy and paste that into the browser it goes to checkpoint and shows the business that the cert is issued to. I know that most users will not know how to do this and I believe that the cert issuers like it that way. They get to charge more to put this information on the first tab! If I, on the other hand, had any doubt whether a company was legit, I would check the contact page vs. Thomas’s online register or the online phone directories before supplying CC information.

Sorry this is so long but this is my soapbox for the week because I really have a problem with the profit ratio some companies are making off secure certificates.

Hope that helps,
Regards,
Ken