Security Basics mailing list archives
Re: wildcard SSL, is this a bad thing?
From: "kalgecin () gmail com" <kalgecin () gmail com>
Date: Mon, 20 Apr 2009 22:04:19 +0300
hmmm.... could be bad if the attacker is on the same intranet. for example, a local employee connects and registers a name such as att.company.com. your certs use *.company.com. the attacker will be in possition to exploit. On 4/17/09, robsonde () gmail com <robsonde () gmail com> wrote:
do wildcard SSL cert's have a bigger security risk? we are building 4 new servers for our internal intranet staff directory. we will have a c-name for each server. this way we can point any c-name at any server for DR and maintance outages. the old system was to have an SSL cert for each server. svr1.intranet.company.com svr2.intranet.company.com svr3.intranet.company.com svr4.intranet.company.com problem is that if we re-point a c-name we will get a SSL cert mis-match. my plan is to make each server use a wildcard SSL cert of *.intranet.company.com I know my solution will solve the problem but is it a security risk? is this a bad thing? what security risks am I opening up? thanks ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available. http://www.infosecinstitute.com/courses/computer_forensics_training.html ------------------------------------------------------------------------
-- Sent from Gmail for mobile | mobile.google.com Kalgecin http://kalgecin.110mb.com http://kalgecin.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- wildcard SSL, is this a bad thing? robsonde (Apr 20)
- Re: wildcard SSL, is this a bad thing? kalgecin () gmail com (Apr 21)
- <Possible follow-ups>
- wildcard SSL, is this a bad thing? Derek Robson (Apr 20)
- Cyberspies hacked into $300 billion U.S. fighter Leonardo Dutra (Apr 22)
- Re: Cyberspies hacked into $300 billion U.S. fighter Marco M. Morana (Apr 24)
- Re: Cyberspies hacked into $300 billion U.S. fighter J. Oquendo (Apr 24)
- RE: Cyberspies hacked into $300 billion U.S. fighter Enquiries @ Globalart 4u (Apr 24)
- Re: Cyberspies hacked into $300 billion U.S. fighter J. Oquendo (Apr 24)
- Cyberspies hacked into $300 billion U.S. fighter Leonardo Dutra (Apr 22)
- Re: wildcard SSL, is this a bad thing? Andre Pawlowski (Apr 24)