Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wildcard SSL, is this a bad thing?

From: Aarón Mizrachi <unmanarc () gmail com>
Date: Thu, 30 Apr 2009 03:23:34 -0430
On Miércoles 29 Abril 2009 17:26:48 robsonde () gmail com escribió:

what have gone for is to re-work our c-name's and then make more restricted
certs.

so svr1.intranet.company.com becomes 1.svr.intranet.company.com
then we make a cert for *.svr.intranet.company.com
we only have the 4 servers in the svr.intranet.company.com

should the cert's get hacked/obtained we only have 4 servers that match on
domain name.


You must evaluate your choice. 

only you understand your security and diferences between your servers... if 
there is a large breach between security from server 1 to 4, you can choice 
not to use wildcards, assume risks, or secure weak servers.

good luck


On Apr 30, 2009 3:31am, Aarón Mizrachi <unmanarc () gmail com> wrote:

On Jueves 16 Abril 2009 19:52:30 robsonde () gmail com escribió:

do wildcard SSL cert's have a bigger security risk?



we are building 4 new servers for our internal intranet staff
directory.

we will have a c-name for each server.



this way we can point any c-name at any server for DR and maintance

outages.



the old system was to have an SSL cert for each server.

svr1.intranet.company.com

svr2.intranet.company.com

svr3.intranet.company.com

svr4.intranet.company.com



problem is that if we re-point a c-name we will get a SSL cert


mis-match.


my plan is to make each server use a wildcard SSL cert of

*.intranet.company.com I know my solution will solve the problem but is


it


a security risk? is this a bad thing?



what security risks am I opening up?


Not so good. i think that is a medium level security hazard.



\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
/\/\/\/\/\/\/\/\/\/\/\/\/\>

why?

what is the real security risk there?



have the same certificate used on a couple sites increase their
probability to

be hacked/obtained, and... then, could involve revoke the certificate on
all

servers.



If you have a weak server "A" used on "non-important" applications (Call
it

weak.intranet.lan), and strong server "B" used on "very-important"
operations

(Call it strong.intranet.lan), then, the SSL security will be strong as
the

weak server.



Then, "strong.intranet.lan" crypto security could be compromised if a
non-

important server "weak.intranet.lan" are compromised. (Supposing scheme
of

wildcard: *.intranet.lan).



If the servers are copycats, then, the impact are less so.



-------------------------------------------------------------------------
-------------------



What i recommend (a temporary solution)?



Unless the servers are copies, or the domains are managed on the same
server,

(or something similar), you can use multiples ip's by interface, then,
dont

use CNAMES, only A records.



Internally on the server, redirect both ip's with two distinct
certificates

according to the A record to the same application/website/whatever.



This is a partial tmp solution.


thanks



-----------------------------------------------------------------------
-

This list is sponsored by: InfoSec Institute



Find the source of cybercrime! Almost every crime today involves a


computer


or mobile device. Learn how to become a Computer Forensics Examiner in

InfoSec Institute's hands-on Computer Forensics Course. Up to three

industry recognized certs available, online computer forensics training

available.



http://www.infosecinstitute.com/courses/computer_forensics_training.htm
l

-----------------------------------------------------------------------
-




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: