Having a business that expands to multiple markets, also means purchasing domain names, advertising and phone numbers. Having multiple phone numbers and especially international phone numbers, thru the regular phone pusher is something that can quickly become hugely expensive. So when asked by a not for profit organization, how they could have multiple international phone numbers for their customers to contact them, I started looking thru the different SIP providers.
After quite a lot of research and some testing. I found LocalPhone that offers SIP services for international lines and numbers at a low cost. They of course offer all the usual services, such as a SIP connection to receive calls directly, SIP trunks, SIP international calls dirt cheap, redirects, voicemail and so on.
So how do you get more than one number on your regular phone line without the whole SIP thingy ? Read the rest of this entry »
Boost your internal PKI/Microsoft CA security with FREE green Extended Validation SSL in 15 minutes or close your eyes until 2016!
One of the new CAB Forum baseline requirements is that all SSL certificate issuers are to stop issuing SSL certificates with internal host names and IP addresses. Currently it is possible to get internal host names in public certificates until 2016, but after 1. July it will be shortened to 2015. But keep reading and you will remove this threat today, instead of waiting to 2015-2016.
Normal usage of SSL certificates
Most companies with a medium to large infrastructure, use an internal PKI solution like Microsoft Certification Authority for identity and encryption on internal workstations and accounts. They will also use internal CA to issue certificates for server systems that are only accessed by internal computers where Root CA trust can be controlled automatically thru GPO or similar.
But external facing websites and server systems use public external CA issued SSL certificates, to ensure trust by all units including mobile units and external computers.
(did you see the padlock in the above image?)
Example of attack
It makes sense to prevent easy attacks on the identity part of SSL security for internal systems. Any internal website would be easy to replace with a fake site or do a man in the middle attack with a real external publically trusted SSL certificate that includes the internal host names. Example: an internal password management portal on https://mypassword.abc-organization.local. The intruder gets a certificate issued to www.notyours.dk including a SAN name “mypassword.abc-organization.local”. It would be easy for the intruder to setup a fake website to harvest passwords with a real SSL certificate that all clients would trust equally to their internally issued SSL certificate on the existing system. Clients would see the padlock with no visible changes. Read the rest of this entry »
Internal server names in publically recognized SSL certificates are about to become just as extinct as Sharks in Chinese waters.
The CA / Browser forum has decided to implement changes to SSL requirements, that will phase out all use of internal server names in public SSL certificates. The CA / Browser forum includes all the major certificate authorities and browser developers, so the change will be forced upon everyone.
The negative impact
It especially hits small to medium businesses with just a few servers. I.e. Exchange, Lync and Small Business Server, where a single SAN certificate including both public and internal server names, will save them both time and resources otherwise needed for reconfiguration, internal PKI solutions and/or reverse proxy and similar systems to allow usage of a separate internal and external SSL certificate on a single website/service.
Exchange 2010 will by default use a single website and configure it self to use its internal FQDN i.e. exchangeserver01.fairssl.local and external FQDN i.e. webmail.fairssl.dk for this one website/SSL certificate. The change will require a change in configuration or systems surrounding the Exchange 2010 environment to continue working without both names in one SSL certificate.
SBS 2011 on the other hand has received the functionality to use split DNS to use the external server name both internally and externally, this not much mentioned change may have something to do with Microsoft being on the CA / Browser forum board, so they would have known about this change for a while.
Larger companies typically have more resources and will have an easier time separating internal and external SSL certificates, without having to buy new solutions like Forefront TMG, SSL offloaders, Internal PKI, etc. But my guess is still that a large number of them will still need to change some configuration to avoid problems with internal server names.
The reasoning behind this phase out is to secure against Man-in-The-Middle (MTM) attacks, where it is possible to pretend to be an internal server via a publicly recognized SSL certificate. Even thou it is a highly unlikely way to attack most systems, the theoretical possibility is enough to spark the change. I just wish they had been a little more giving on the deadlines.
My personal recommendation to my customers with SSL certificates containing internal server names Read the rest of this entry »
The difficulties of installing an SSL certificate on a ZyXEL ZyWall USG 300 firewall (if even possible!)
Having spent some time trying to install an SSL certificate from a trusted certification authority on this product, I felt I should share my findings as they might save someone else the headaches and time I had to spend on this.
For reference I used a ZyXEL ZyWall USG 300 with Firmware version: 2.20(AOE.6) / 1.11 / 2011-10-05 11:51:34
I assume this information is the same for pretty much all versions of ZyWall products, but I can not confirm this from own testing as I only had access to one edition.
About Intermediate SSL certificates
All certificates today that want to enjoy the WebTrust approval must use intermediate issuing certificate authorities, this means that a root certificate is no longer allowed to directly issue server certificates for customers. This makes good sense security wise, as it is much harder for a hacker to gain access over the root certificate when it is not online and in case of a compromise, it should be sufficient to close the intermediate, without having to “remove/uninstall” the root from every client in the world.
So most professional products around that uses SSL certificates must be able to install both a server certificate and the intermediate issuing certificate, because the client only knows the root certificate, it needs the server to give it both.
Installing SSL certificates on ZyXEL ZyWall USG 300 (the good part)
Go into Configuration -> Object -> Certificate
Some things to have in mind when installing Read the rest of this entry »
How to get rid of the anoying syntax error popup message when using Internet Explorer with Java so your mother-in-law will stop buggin’ you about it
Quite some time ago I encountered this error the first time, to be honest i can not even remember when it was. But I do know it was Windows 7 and Internet Explorer fully updated, together with the current Java runtime environment that gave me the problem, but I am getting ahead of myself.
- Using Internet Explorer, Windows 7 and Java Runtime Environment – all updated to latest editions on completely clean installations
- On all webpages loading Java the following error message appears twice (x2, two times, 2 times).
Title: “Microsoft JScript compilation er…”.
Error message: “Syntax error”.
Extra bonus information:
- I have experienced this problem on Windows 7 with and without service packs, Internet Explorer 8 and 9
- Usually the problem appears from “birth” with default settings
- Settings in Internet Explorer for showing errors, debugging scripts, etc. are all set to default i.e. not to anoy the user
- The error always comes two times and has absolutely no usefull information
- The Java application works fine without any errors, the only error is the actual message about the error and yes it is realy anoying
So to continue… Read the rest of this entry »
I always wanted the ability to compare different SSL certificates with the clients that do or do not support them.
But at best you can download the roots that a mobile client, browser or operating system uses and compare them with the certificates issued by thoose roots. A cumbersome and extremely tedious task, that still only gives you information about 1 single client. Why has no one made a database containing all popular SSL certificates and clients/browsers/mobile phones and their compatibility.
Well I guess the reason is that it is extremely hard to get a consistent and easy to use data from the clients. The issuers only have information about what clients support them, but the information is usually not quite true, i.e. SSL provider X gets approved by Nokia, so they write now they are supported by Nokia, but that is only true for new nokia phones made after the approval or updates and even in some cases Nokia might forget the SSL provider in a new phone model…
I need your help
But I could realy use some help, I need people to run the test with their different clients, operating systems, mobile phones, etc. so we get as much data as possible.
You can start the test from this page www.ssltest.net/compare/
I also need more SSL certificates to add to the test. If you have or know of a publically available server using a SSL certificate not in the test allready, please e-mail me the URL for a small image of at least 2×2 pixels plus the name of the SSL certificate in use to email@example.com
I hope the results will give enough data to make a public and FREE database of what SSL certificates that work on different browsers, operating systems and mobile phones.
Update 1 jan. 2011.
First results of the client SSL compatibility comparison charts are now public live on www.ssltest.net/compare/sar.php the page is not finished and only shows correctly in IE7+ (not doing layout, etc. before functionality is complete). But there is allready data about different OS, browsers and mobile phones that work or do not work with different SSL certificates. I must admit that the information is surprising for some of the results and I am sure that with more data it will get even more interesting. I have not found another place on the internet that has this information.