Do you setup SSL for Intranet websites only
-
If there will be users on it, then yeah, it needs SSL.
-
@dafyre said in Do you setup SSL for Intranet websites only:
If there will be users on it, then yeah, it needs SSL.
Wow, that is about as stupid as answers get. Did you read the question at all?
The answer is never that simple.
There is a non trivial amount of effort involved in setting up trusted certificates on non public systems.
-
It's worth noting that these systems have credentials which lead to only these systems. They connect to nothing else, and while they could provide the destructive kind of access that would be concerning over, it's not something I'd really be so concerned over.
Namely because I backup these systems daily. So even if someone got credentials to these systems, I'd just restore and change those credentials.
@dafyre I get the point, but these systems literally go no where. It's a dead end even if anyone was sniffing my network.
@JaredBusch I'm assuming you think it wouldn't be worth it for these tiny systems?
-
These sites are for things like IT Wiki pages, Asset Management.
Literally near-zero value targets.
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
These sites are for things like IT Wiki pages, Asset Management.
Literally near-zero value targets.
Nothing is near-zero value.
But that is not the point. -
Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@dafyre I get the point, but these systems literally go no where. It's a dead end even if anyone was sniffing my network.
There was no point to his post. SO to say you get it means you are reading into something or assuming something.
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@JaredBusch I'm assuming you think it wouldn't be worth it for these tiny systems?
Stop and think about the process, this is not that hard to understand.
How would you even get a trusted certificate on the box?
LE works buy reaching back to you to verify the server nonce and issues the certificate. You cannot do that because that ONLY works on http/https. You cannot forward that through your router to everything. That is not how networking works.You can try to DNS verification, but then you need to have public DNS records for all of these servers and associated text records with the challenge nonce. That is in addition to your internal DNS being setup to route to these systems.
Or you buy long term certs (or a wildcard) form someplace and use that. That at least only needs configured once every year or two.
-
This post is deleted! -
@jaredbusch said in Do you setup SSL for Intranet websites only:
Or you buy long term certs (or a wildcard) form someplace and use that. That at least only needs configured once every year or two.
But then you're still left with "is it worth paying for?"
There are clients out there that will automate the DNS checks and such for you if your DNS provider has an API. I've got one I'm testing now, but I just ran across it a day or so again. If it works well, I'll post it.
-
Or you use self signed certs.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
-
Sometimes we do, sometimes we don't... great answer right?
-
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
Its' so easy to do, why not?
Is it necessary? No. But the effort is so small, might easily be worth it.
-
@scottalanmiller said in Do you setup SSL for Intranet websites only:
@dustinb3403 said in Do you setup SSL for Intranet websites only:
@scottalanmiller said in Do you setup SSL for Intranet websites only:
Or you use self signed certs.
But is that even worth it, it's added setup for something that goes to a dead-end in terms of systems. The logins have no association with anything else on the network, and there is nothing critically location on these systems that (in my case) warrants needing to be secured.
Its' so easy to do, why not?
Is it necessary? No. But the effort is so small, might easily be worth it.
Self-signed or horrid. Because your browser does not trust them and you have to click through warnings. you don't want to be in that habit.
-
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
-
@donahue said in Do you setup SSL for Intranet websites only:
I've never bothered to setup a certificate for anything internal. I know who they are even if the browser doesn't.
That's my stance as well.
-
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
-
In a windows environment with AD I setup a domain CA and all the servers and devices get an internal SSL that is trusted by the devices joined to the domain. That's the only use I do for internal SSLs but it takes some time to setup though.
-
@black3dynamite said in Do you setup SSL for Intranet websites only:
Self-signed isn't too bad if you have a way to install your own Root CA to the computers.
That is not self signed. That is signed by a trusted (local) CA.
-
I plan to. However, I'm still learning the whole process for a local root CA and have hundreds of projects that are currently higher priority so I haven't had time to look into it.