Re: Rdp over ssl

[Greg Rubin <grrubin () gmail com>]

Actually, there is sometimes a way for people to review and validate
self-signed certificates. If you can provide the user the
certificate's thumbprint/hash and trust the user to validate it (a
very high difficulty in implementation and use) then the user can
trust the certificate's authenticity.

That said, there is usually a better way of doing this.

Greg

On Apr 16, 2012, at 7:43 AM, Thugzclub Thugzclub
<thugzclub () googlemail com> wrote:

> using self signed certificate  does not provide any authentication
> guarantees to the user that is connecting to the system. Reason being
> that the user has not strong way of validating that the contents of
> the certificates have not been changed or generated by another user.
> Consequently they have not assurance of the identity of the system
> that they are connecting to...The same applies even if they are
> reviewing the contents of the certificate...
>
>
> It should only be advised in low risk environment such as a
> local/intranet environment. Its not advisable for external systems.
>
> On 13 April 2012 12:47, _ <packetnull () gmail com> wrote:
> > and to add your goal on setting up a * ssl (from my understanding looks like you want a wildcard ssl) is a bad idea 
> > as well because it defeats the purpose of validating that a specific cert is owned by a specific server
> >
> > On Apr 9, 2012, at 9:11 PM, Stephanus J Alex Taidri <securityfocus.ae () taidri com> wrote:
> >
> > > Hi Robert,
> > >
> > > The problem with self-signed-certificate is you really need to educate
> > > the users and ensure they always check for the certificate issuer,
> > > expiry, other parameters, etc before accepting the sessions.
> > >
> > > As we know... most users don't bother and just click Accept.
> > >
> > > That's mean, if the hijacker using MITM attack able to intercept your
> > > traffic (which is easy if this is traverse the internet) and present
> > > their own self-signed-certificate, most users do not aware and will
> > > still Accept the connection, thus being hijacked.
> > >
> > > Therefore it's imperative to implement a valid certificate either for
> > > public CA or private CA as long as the chain can be validate back and
> > > user's browser able to validate the authenticity of the certificate.
> > >
> > > Kind regards,
> > > SJ Alex Taidri
> > >
> > > On Fri, Apr 6, 2012 at 7:21 AM, Robert Smith <robert.smith2929 () gmail com> wrote:
> > > > Hello all,
> > > >
> > > > I would like to know what are all security risk if i set rdp over ssl with a selfsigned certificat .
> > > >
> > > > One example, is it possible that the certificate become corrupted ? What are the impacts ? DoEs exists some 
> > > > recovery solution ?
> > > >
> > > > Man in the middle , is it yet possible ?
> > > >
> > > > My principal problem is to deploy a certificate signed by our ca on all our servers ?
> > > >
> > > > À certificate with * character resolve my problem ?
> > > > ------------------------------------------------------------------------
> > > > Securing Apache Web Server with thawte Digital Certificate
> > > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > > certificates.
> > > >
> > > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > > ------------------------------------------------------------------------
> > >
> > > ------------------------------------------------------------------------
> > > Securing Apache Web Server with thawte Digital Certificate
> > > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > > certificates.
> > >
> > > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > Securing Apache Web Server with thawte Digital Certificate
> > In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> > how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> > purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> > set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> > certificates.
> >
> > http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------