Topic 'Changes coming for SSL certs- Exchange issue' in forum 'No, I Will Not Fix Your #@$!! Computer' - dslreports.com

Re: Changes coming for SSL certs- Exchange issue

Mon, 01 Apr 2013 10:00:57 EDT

DarkLogix posted : You could also add in some of the e-mail security that yahoo, ebay, and good have.

I don't remember the name of the tech but it basically stores a public key in DNS and uses a private key to sign all outgoing e-mail.

then any e-mail claimed to be from the given domain (ie google, yahoo, or ebay) can be verified by checking with the key in the DNS record.

Combine that with SRP and you can be sure that no one will be able to spoof you.
--
»www.change.org/petitions/create-···imcity-4

Re: Changes coming for SSL certs- Exchange issue

Mon, 01 Apr 2013 08:21:49 EDT

ke4pym posted :

said by IamGimli:

said by ke4pym:

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

...and you apparently haven't been keeping up with the security risks that represents, which are much greater than unencrypted email on a closed network.

You do realize that all those emails are going out to the destination on the Internet unencrypted, right?

Being that I work for a healthcare facility, I am *KEEEEEEENLY* aware of the security risks. However, this isn't something that's my call. BYOD and the consumerization of IT is an industry thing that is impacting all IT departments now, and one my employer is embracing.

There are plenty of technologies out there (some of which we deploy) that will mitigate most, if not all of the risks of a BYOD on a corporate network. Personal responsibility and liability set by laws/rules such as HIPAA are also pretty good deterrents that help fill in the gaps.

As for "all those emails" - they're not necessarily going out to the internet unencrypted. We have a system that intercepts emails and if it finds certain information, it will divert that email from an unencrypted state to our protected email system which uses SSL. It also isn't shy about grabbing to many emails rather than not enough.

Re: Changes coming for SSL certs- Exchange issue

Sun, 31 Mar 2013 18:25:25 EDT

IamGimli posted :

said by ke4pym:

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

Re: Changes coming for SSL certs- Exchange issue

Sun, 31 Mar 2013 10:48:30 EDT

ke4pym posted :

said by IamGimli:

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).

If you let people plug in their own devices to your network you might as well not use certificates at all.

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

And regardless of who's using your network, you better be encrypting the sensitive data. And while you're at it, you better make sure you're configuring your server's SSL settings correctly.

Using ".local" as a name is a foreign concept to me. Our internal name matches our external name. So, it's no big thing for us to just get a wildcard cert and be done with it (aside from tracking where that cert has been installed).

Re: Changes coming for SSL certs- Exchange issue

Fri, 29 Mar 2013 13:03:24 EDT

demir posted : Setting up a CA isn't a big deal, even for a single person, let alone a company. You could do it in 5 minutes and start generating your own certs, whether you are a single person, small, medium or large company.

If you've never gone through the exercise or thought about managing your own certificates, maybe it's a good time to start.

»www.freebsdmadeeasy.com/tutorial···nssl.php

Re: Changes coming for SSL certs- Exchange issue

Thu, 28 Mar 2013 21:09:49 EDT

lorennerol posted :

said by demir:

said by IamGimli:

Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.

This.

Once company with an IT department and 20 sites, yes, this is simpler.

One IT consultant with 50 clients, 50 email servers, etc. This is NOT easier, or more cost effective.

Re: Changes coming for SSL certs- Exchange issue

Thu, 28 Mar 2013 19:01:38 EDT

demir posted :

said by IamGimli:

Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.

This.

Re: Changes coming for SSL certs- Exchange issue

Wed, 27 Mar 2013 14:31:31 EDT

IamGimli posted :

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

If you let people plug in their own devices to your network you might as well not use certificates at all.

Re: Changes coming for SSL certs- Exchange issue

Mon, 18 Mar 2013 13:56:35 EDT

DarkLogix posted :

said by lorennerol:

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

That. Not to mention users who want to sync their home computer to corporate email, something quite common in the SMB segment.

The easy fix would be to not sell the .local tld.

Use outlook anywhere and never let that computer be on the internal network.

And ya the .local should be reserved indefinitely just like the 10.x.x.x/8 range

What we have is any public facing address gets a cert from a real CA and all internal ones get one from the internal CA.

Also with an internal CA you can set the lifetime to something very long so the CA's cert won't expire for a very long time, as well as make a self applying exe for the CA certs.
--
»www.change.org/petitions/create-···imcity-4

Re: Changes coming for SSL certs- Exchange issue

Mon, 18 Mar 2013 13:53:07 EDT

DarkLogix posted : Well frankly why put a publicly signed cert on an internal host?

IMO do OWA.public-domain.com, and internal-server-name.domain.local

use a public cert on the public address and a internally signed cert on the internal address

then sort out the rest of the details
--
»www.change.org/petitions/create-···imcity-4

Re: Changes coming for SSL certs- Exchange issue

Mon, 18 Mar 2013 12:58:23 EDT

lorennerol posted :

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

That. Not to mention users who want to sync their home computer to corporate email, something quite common in the SMB segment.

The easy fix would be to not sell the .local tld.

Re: Changes coming for SSL certs- Exchange issue

Mon, 18 Mar 2013 12:47:39 EDT

ke4pym posted :

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Re: Changes coming for SSL certs- Exchange issue

Wed, 13 Mar 2013 16:31:29 EDT

IamGimli posted : Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.

Re: Changes coming for SSL certs- Exchange issue

Wed, 13 Mar 2013 15:35:13 EDT

kontos posted : This makes sense once you consider that rules on Top Level Domains have been relaxed. In the future domain.local could get registered to a company/person that is not you. If they were to issue a distant expiration certificate for that domain to Ira Hacker today, he could wreak havoc in a few years if that name comes into use on the public 'Net.

Re: Changes coming for SSL certs- Exchange issue

Sat, 02 Feb 2013 07:39:41 EDT

AsherN posted : Split DNS and point Outlook to the public name.

Re: Changes coming for SSL certs- Exchange issue

Fri, 01 Feb 2013 21:03:22 EDT

exocet_cm posted : Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Re: Changes coming for SSL certs- Exchange issue

Fri, 01 Feb 2013 19:24:19 EDT

drew posted :

said by lorennerol:

Has anyone else run into this or even heard of it?

Not until you mentioned this thread and I typed "ssl certificate domain name rules" into Dr. Internet

»exchangeserverpro.com/ssl-requir···tificate

quote:
The CA/Browser Forum, a collaborative effort between Certificate Authorities (companies like DigiCert that issue certificates) and Web Browsers (companies like Mozilla or Microsoft that manage trust on a CA level), has introduced new Baseline Requirements for certificate issuance.

As part of these new requirements, Certificate Authorities must phase out the issuance of certificates issued to either Internal Server Names or a Reserved IP Address by October 2016. Specifically, CAs cannot issue certificates to these internal names with expiration dates after November 1, 2015…

Essentially, this change in SSL standards will make it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as owned by the organization that is requesting the certificate.

--
flickr | 'Cause I've been waiting, all my life just waiting
For you to shine, shine your light on me

Changes coming for SSL certs- Exchange issue

Fri, 01 Feb 2013 17:03:46 EDT

lorennerol posted : A cert provider we use is telling us that they cannot issue certs for host names like "Exchange" or "Exchange.domain.local" that are effective past November 2015.

Without some contortion, Outlook clients talk to Exchange using the internal host name, and it complains about a cert mismatch.

Has anyone else run into this or even heard of it?