Re: [Full-disclosure] SSL VPNs and security

From: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 9 Jun 2006 14:55:53 -0400

Sure, it's trivial to create self-signed certs (or run a CA), but
distributing your cert (or the CA cert) to all but a handful of clients
is a logistical nightmare.

For company managed laptops, it is trivial to distribute via normal
software distribution processes. For non-managed systems (which you
shouldn't allow into your network via a VPN anyway), installing a CA
cert is as simple as clicking on a link ONCE, and installing the cert.
This cert can be distributed over a VeriSign secured SSL connection.
Then when the website presents a page, it can dynamically sign certs for
each domain. This stuff isn't really that hard. The tools that the
industry has provided users just suck, that's all.

If you're going to be installing stuff, might as well make that a
IKE/IPSEC client and do it the right way to begin with.

Well, I don't disagree with this one, but so many people who complain
about certificate distribution have not thought through the ways it can
happen. Even with a real VPN, you really should be using client certs
anyway, which present the same distribution problems. These problems
aren't made any easier by using a "trustyworthy" CA which charges you.
The software you use is the biggest contributor to management headaches.

tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] SSL VPNs and security
  - From: Brian Eaton

References:
- [Full-disclosure] SSL VPNs and security
  - From: Michal Zalewski
- Re: [Full-disclosure] SSL VPNs and security
  - From: Tim
- Re: [Full-disclosure] SSL VPNs and security
  - From: Michael Holstein
- Re: [Full-disclosure] SSL VPNs and security
  - From: Tim
- Re: [Full-disclosure] SSL VPNs and security
  - From: Michael Holstein

Prev by Date: Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Next by Date: Re: [Full-disclosure] Re: blocking tor is not the right way forward. It may just be the right way backward.
Previous by thread: Re: [Full-disclosure] SSL VPNs and security
Next by thread: Re: [Full-disclosure] SSL VPNs and security
Index(es):
- Date
- Thread

Relevant Pages

Re: IIS website - only allow users with client cert from our CA. P
... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
(microsoft.public.inetserver.iis.security)
Re: IIS website - only allow users with client cert from our CA. Possi
... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
(microsoft.public.inetserver.iis.security)
RE: Certificate logon on Unix
... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
(Security-Basics)
Re: Radius Server
... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
(microsoft.public.windows.server.networking)
Re: EAP-TLS / Radius & AD
... I'm especially interested in the part "IAS authenticating the client by ... >> What checks must the authentication server perform against AD to be ... > the cert, ...
(microsoft.public.internet.radius)