How Do I Address This Issue With SSL Certificates?

[Rob Mikkelsen]

Slightly off topic and may be better fodder for the newsgroup, but I will give it a shot here...

I have about 65 copies of a NTWS program running at various locations around the country which do not share even similar IP addresses.  I have been told that I need to secure them with SSL certificates and encrypt all data to/from those computers.

I have just applied for a URL for the main server.  Is there any way with NetTalk that I can bring all these sites under the one URL?  If not, what type of certificates (wildcard, subdomain, etc) would I need and how many would it take to secure all these systems?

As you can see, I am a neophyte regarding SSL so any information you would provide would be most helpful.

Thanks!

Rob

[Bruce]

Hi Rob,

Are all the servers available on the internet? Are they on fixed IP addresses?

I'm thinking that what you need is a wild-card certificate. And a domain. So let's say you get a certificate for *.rob.com
then each of your 65 servers need a unique name. For example
jfk.rob.com
atl.rob.com
and so on.
You can use any first-part you like, but I'm guessing the airport code, or city, or whatever is a good place to start.

Then in your domain management (via godaddy or zoneedit or whatever) you assign the correct IP address to each name.
In the browser, to connect to the server, you would use
https://jfk.rob.com

You could use the www one for the "main" server if you like.

Cheers
Bruce

[Rob Mikkelsen]

I think a wildcard certificate would do it as well.  I spoke with Verisign today to get a price quote and, judging by the conversation, I will not be happy with the number.  They talked at great length about how difficult it would be to manage the wildcards.  In my opinion, it is a simple "set and forget" issue (except for the renewals).

I checked the price of a wildcard certificate with Comodo (who, btw, advertises their prices unlike Verisign) and calculated that to cover the 160 sites with the wildcards on approximately 70 servers would cost about $850/year.

Unfortunately, the sites are not on the internet, but the FAA's intranet which is not visible from the outside.  They also would not let me manage my own site names although I had set up a name server for that specific purpose.  To make changes will require a couple days' notice whereas today we had to move 8 sites to a different location (and IP) due to computer issues.

I will let you know how the negotiations with Verisign go.

Rob

[Bruce]

Hi Rob,

>> To make changes will require a couple days' notice whereas today we had to move 8 sites to a different location (and IP) due to computer issues.

One of the goals of SSL is to prevent the site being "hijacked". In other words you know the server you're pointing to is the "real server". This by definition means
some name to ip scheme, with associated name to ip resolution & management (ie dns).

The sped with which you can move the server from one box to another is directly related to your ability to change the dns values.

You say the servers are on an intranet - but you didn't note if the _clients_ can access the internet. ie if your DNS settings are in normal internet servers, can the client get to them? if so then you would just put the names there, and set the ip to an _internal_ ip address. Only your clients would have access to those IP's so exposing the DNS entry won't expose the app itself.

Now theoretically it can take time for a DNS change to propogate, but in practice it's pretty quick. Especially if all the clients add the dns server you are using to their list of dns servers.

Alternatively you don't use DNS at all. Rather you set the ip address, to match the name, in the users' HOSTS file. This would take more management I think (actually sounds like a separate program running on their machine which gets the mapping from a central server you maintain would be required for it to be practical.)

Or, as you say, you have an internal DNS server which only serves these names, and you add this dns server to the list of dns servers used by all the client machines. Actually on a large intranet I'm surprised they don't do this already...

Cheers
Bruce

[Rob Mikkelsen]

One of the goals of SSL is to prevent the site being "hijacked". In other words you know the server you're pointing to is the "real server".

The FAA IT folks have decided that it is better to trade convenience for security.  They almost blew a gasket when I set up my own nameserver and asked them to add me to set up a countops.faa.gov zone!  Whereas it normally takes a couple days to get a response, I received a phone call not more than 10 minutes after sending the request for a nameserver link to the national service center.

The DNS names are intranet only.  It is not possible to see them from the outside without establishing VPN connectivity.  That in itself excludes about 99.99862% of likely hackers.  It would be great to be able to access the name server and change IPs - it would only take minutes to make a change and the user would never know.  However, it simply cannot be done in this setup.

Now, the management of the URLs is out of my hands.  I should file a request to move the eight sites just to see how long it would take them to comply.

In their defense, as I was finishing up the security assessment for my sites, one of the FAA's computers was hacked and my personal information was compromised, so I can understand their concerns.  Oh well - at least I got a free year of credit monitoring! <g>

Rob