Full Disclosure mailing list archives
Re: SSL VPNs and security
From: Tim <tim-security () sentinelchicken org>
Date: Fri, 9 Jun 2006 14:55:53 -0400
Sure, it's trivial to create self-signed certs (or run a CA), but distributing your cert (or the CA cert) to all but a handful of clients is a logistical nightmare.
For company managed laptops, it is trivial to distribute via normal software distribution processes. For non-managed systems (which you shouldn't allow into your network via a VPN anyway), installing a CA cert is as simple as clicking on a link ONCE, and installing the cert. This cert can be distributed over a VeriSign secured SSL connection. Then when the website presents a page, it can dynamically sign certs for each domain. This stuff isn't really that hard. The tools that the industry has provided users just suck, that's all.
If you're going to be installing stuff, might as well make that a IKE/IPSEC client and do it the right way to begin with.
Well, I don't disagree with this one, but so many people who complain about certificate distribution have not thought through the ways it can happen. Even with a real VPN, you really should be using client certs anyway, which present the same distribution problems. These problems aren't made any easier by using a "trustyworthy" CA which charges you. The software you use is the biggest contributor to management headaches. tim _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SSL VPNs and security, (continued)
- Message not available
- Re: SSL VPNs and security E Mintz (Jun 09)
- Message not available
- Re: SSL VPNs and security Tim (Jun 09)
- Re: SSL VPNs and security Brian Eaton (Jun 09)
- Re: SSL VPNs and security Tim (Jun 09)
- Re: SSL VPNs and security Q-Ball (Jun 12)
- Re: SSL VPNs and security Ray P (Jun 13)
- Re: SSL VPNs and security Q-Ball (Jun 13)
- Re: SSL VPNs and security Brian Eaton (Jun 09)
- Re: SSL VPNs and security Tim (Jun 09)
- Re: SSL VPNs and security Michael Holstein (Jun 09)
- Re: SSL VPNs and security Tim (Jun 09)
- Re: SSL VPNs and security Brian Eaton (Jun 09)
- Re: SSL VPNs and security Michael Holstein (Jun 09)