/var/ssl-ca

Obviously, certificates are not the magic bullet for everything… They can simplify some things but they also carry a few risks when not used properly. One of these risks is, as mentioned before, the ?Man-in-the-middle-attack? this means someone ?poses? as the other side and reads your traffic, then passes it on to the actual other side. This is a difficult attack to be made successful but it is known to happen.
However the risk is very little and the benefit of encrypting your sensitive traffic securely outweighs the M-i-t-m attack. Furthermore this attack can be prevented by implementing a few things and therefor eliminating the risk almost completely.

Now services that you can certify are services that require sessions, or ?closed data streams?. This means that only TCP sessions ,and therefor only services running over TCP, can be ?certified?. To identify what services in your organization can be certified you can check the following list, which lists the most common ones and the reason WHEN they should be certified.

  • Web services ? when sensitive data is transmitted
  • Email services ? when email is accessed from the outside of your network over the internet
  • Authentication ? when possible since it allows the users to have ONE authentication token for many services
  • VPN ? if you want remote access to your network that is easy to implement and still very secure, or if you want to let other partners access network resources securely

These services are quite ?easily? certifiable and after that very secure for data transmission. In this paper we will go through the process of doing all of them however the paper is modular so you can select which one you want to certify and just read that piece as mentioned before.
To use a certificate for authentication the user obviously needs to enter a password but this is ONE password, not many for different services. Having certificates generally makes life easier on the users without compromising security really.

//Flosse

Click here if you want to see the full index and brief of the OpenSSL for eveything “project”

PS: I found pretty good posts about SSL CA here and here but the second one is already on the scripting and technical side where the first one is actually quite elaborate and has a lot of other details.

No Tags
Digg!

Popularity: 1% [?]