Educause Security Discussion mailing list archives

Re: SSL certificate purchasing

From: "Judd, Taylor Allen" <tjudd () ILLINOIS EDU>
Date: Thu, 13 Nov 2014 18:38:27 +0000

A few concerns with using wildcard certs at scale:

  1.  Private key for cert stored on multiple servers. One host compromised all hosts using this cert are now 
compromised. You may save money in buying the cert but consider the operational costs of replacing them all in the 
event of a compromise.
  2.  Makes it much easier to create spoofs or honeypots. Again compromise host I can now use your SSL cert to mimic 
your site much easier as I’m not tied to a single domain.

If you are good with these additional risk than they may be worth it, but it’s why I personally avoid using them.

Taylor

From: <Maloney>, Michael <mmaloney () MIDDLESEXCC EDU<mailto:mmaloney () MIDDLESEXCC EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Thursday, November 13, 2014 at 12:27 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] SSL certificate purchasing

We use Digicert for our wildcards.  They have a utility that scans your network and will tell you where it finds the 
cert in use at.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Thursday, November 13, 2014 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

We’ve considered that. How do you keep up with everywhere it’s used when time to renew?

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Cunningham
Sent: Thursday, November 13, 2014 12:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SSL certificate purchasing

We get a wildcard cert from COMODO that we can put on as many servers as needed for one price. We can use any *.pct.edu 
name with one cert

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Thomas 
Carter
Sent: Thursday, November 13, 2014 12:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] SSL certificate purchasing

We don’t have enough SSL certs around to qualify for one of the “get as many as you want for one price” deals, but the 
costs do seem high for non-essential sites. Has anyone used a reseller for cheaper prices like namecheap of GoGetSSL? 
They offer the basic Thawte SSL123 certs for $35 a year, which is considerably cheaper than the $149 Thawte lists.

Thomas Carter
Network and Operations Manager
Austin College
903-813-2564
[AusColl_Logo_Email]

Current thread:

Re: SSL certificate purchasing, (continued)
- - - Re: SSL certificate purchasing Mike Cunningham (Nov 13)
    - Re: SSL certificate purchasing David Lundy (Nov 13)
    - Re: SSL certificate purchasing Roger A Safian (Nov 13)
    - Re: SSL certificate purchasing Baumgartner, Mark A. (Nov 13)
    - Re: SSL certificate purchasing David Lundy (Nov 13)
    - Re: SSL certificate purchasing Maloney, Michael (Nov 13)
    - Re: SSL certificate purchasing Glassman, Stephen (Nov 13)
    - Re: SSL certificate purchasing Mark Montague (Nov 13)
    - Re: SSL certificate purchasing Nick Semenkovich (Nov 13)
- Re: SSL certificate purchasing King, Ronald A. (Nov 13)
- Re: SSL certificate purchasing Judd, Taylor Allen (Nov 13)