Is there anyway to make it so a customer is not prompted when using a self signed ssl cert?

by on March 1, 2011

Q: I have Site(s) Ani….i=1,..10 sites which communicate with site B to access a website/application. That’s simple enough.

However, the traffic is http well we primarily don’t need https on ipsec tunnel right?. But since attacks related to eavesdropping of traffic come a real reality once it gets terminated by the ipsec device on both sides.

I have two options either to purchase a third-party ssl certificate to encrypt the traffic between two nodes or use a custom made one.

I don’t want to use a custom made one because this make the browser prompt an ugly untrusted certificate message; its ugly not from security perspective but for clients inconvenience and assuring users confidence in our systems is a critical issue for us.

Based upon above discussion i have the following two queries:-

a) How its possible to remove ugly certifcate message from user screen? Does the company need to register its certificate to some kind of CA body? or what …

b) Due to some tcp acceleration issues, ssl traffic slows down the traffic between the nodes so we only require the encryption to stand just during the initial handshake when the username and password are being validated ; after that we

want to revert back to http? Could this be achieved? If yes how…?

Thanks for your help.


2 Responses to “Is there anyway to make it so a customer is not prompted when using a self signed ssl cert?”
  1.  
    Picked as best answer

    There are two options, the customer can either manually trust the certificate (you’d need to provide instructions on how to do this to them). Or just buy an SSL certificate. Looks like one would probably cost your company $50 to $200 a year depending on your needs.

    Since assuring confidence is important to you, I think you’d be foolish not to just buy an SSL certificate.

    You’ll need to go through a Certificate Authority company that sells SSL Certificates such as:

    http://www.verisign.com/
    http://www.thawte.com/
    https://www.godaddy.com/ssl/ssl-certificates.aspx

    You also should talk to the company that handles your company’s domain registration or web hosting for options, and possibly a good deal since you’re already doing business with them.

    Redirecting back to http would need to be a function of your web application. Note that it would still be possible for someone on either side of the ipsec tunnel to hijack the session by grabbing the cookie that would still be passed back and forth. So for absolute security you’ll need to stay with full HTTPS.

    See this article for details on the cookie hijacking thing: http://www.nytimes.com/2011/02/17/technology/personaltech/17basics.html

    Specifically the section where they talk about the Firesheep tool.

     
    •  

      Thank you Mark . You opened my eyes to whole new threat which is cookie stealing. I read through the link which was sent by you; it was highly informative and helped me understand the threat significance in more details. I thank you for that Mark.

      I will get back to you if more help is needed.