Local website purchase SSL or self signed?

Dashrender

This is a situation where Let's Encrypt would be all that I need.

DustinB3403

Yeah users need to shut it...

You're in the corporate network, which is heavily monitor'd.

So as Scott said, they need to shut it.

dafyre

@Dashrender said:

This is a situation where Let's Encrypt would be all that I need.

Have they started issuing certificates yet?

Dashrender

@dafyre said:

@Dashrender said:

This is a situation where Let's Encrypt would be all that I need.

Have they started issuing certificates yet?

They are in a Beta stage now.

Dashrender

and they don't currently have a Windows client.. yeah!

JaredBusch

@DustinB3403 said:

Yeah users need to shut it...

You're in the corporate network, which is heavily monitor'd.

So as Scott said, they need to shut it.

I completely disagree with this. I do not want users to have to ever get used to clicking through an error screen. Doing so on an internal site means instructing them to do so whenever they see it. Do you honestly expect general users to have the level of knowledge to properly read the error and confirm the internal URL?

Dashrender

Awesome, that's the kind of thing I was looking for.

With NTG I can totally understand this.. they are all technical people.. but here, they are all the technical Luddites.

scottalanmiller

@JaredBusch said:

@DustinB3403 said:

Yeah users need to shut it...

You're in the corporate network, which is heavily monitor'd.

So as Scott said, they need to shut it.

I completely disagree with this. I do not want users to have to ever get used to clicking through an error screen. Doing so on an internal site means instructing them to do so whenever they see it. Do you honestly expect general users to have the level of knowledge to properly read the error and confirm the internal URL?

That's an excellent point. I often forget that one but it does matter a lot in most cases.

scottalanmiller

@Dashrender said:

Awesome, that's the kind of thing I was looking for.

With NTG I can totally understand this.. they are all technical people.. but here, they are all the technical Luddites.

Right, that's why we often go that route internally.

Deleted74295

As @JaredBusch said.

Why would you ever tell users to ignore such a fundamental error message? If they get that error when logging into say, Office 365, do you want them typing in their credentials to a bogus website?

Jason

@JaredBusch said:

@DustinB3403 said:

Yeah users need to shut it...

You're in the corporate network, which is heavily monitor'd.

So as Scott said, they need to shut it.

I completely disagree with this. I do not want users to have to ever get used to clicking through an error screen. Doing so on an internal site means instructing them to do so whenever they see it. Do you honestly expect general users to have the level of knowledge to properly read the error and confirm the internal URL?

Exactly. That's promoting bad habits. We use self-signed ones in places however push the Certs out as trusted via GPOs fixes any errors in browsers.

Jason

@DustinB3403 said:

You're in the corporate network, which is heavily monitor'd.

Heavily monitored doesn't mean protected from stupid actions, which is how most things get in. You can't rely on a single point to protect you from vulnerabilities. You need good user training in addition to AV and network firewalls. User training is the most important.

stacksofplates

If you just need the SSL, StartSSL offers free certs. You don't have the insurance of a paid cert, but it's still encrypted and it's still green.

DustinB3403

@Jason said:

You need good user training in addition to AV and network firewalls. User training is the most important.

User training..... hahaha....

So as with anything lets perform a math exercise and calculate the continuing cost of effectively training users, versus the cost of build a good security policy with backup and recovery functionality (not excluding cost to upgrade it and maintain it)

Deleted74295

@DustinB3403 said:

@Jason said:

You need good user training in addition to AV and network firewalls. User training is the most important.

User training..... hahaha....

So as with anything lets perform a math exercise and calculate the continuing cost of effectively training users, versus the cost of build a good security policy with backup and recovery functionality (not excluding cost to upgrade it and maintain it)

Don't forget to add the cost of a breach.

Reputation
Fines

Jason

@Breffni-Potter said:

Don't forget to add the cost of a breach.

Reputation
Fines

Loss of stock value, investors etc.

coliver

@Breffni-Potter said:

@DustinB3403 said:

@Jason said:

You need good user training in addition to AV and network firewalls. User training is the most important.

User training..... hahaha....

So as with anything lets perform a math exercise and calculate the continuing cost of effectively training users, versus the cost of build a good security policy with backup and recovery functionality (not excluding cost to upgrade it and maintain it)

Don't forget to add the cost of a breach.

Reputation
Fines

I really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?

Jason

@coliver said:

I really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?

I know many people who aren't IT or security minded at all who won't shop at Kmart & Target now. So I guess they do.

scottalanmiller

@Jason said:

@coliver said:

I really hate to be the pessimist... but do companies really care about loss of reputation after a breach? To the average consumer I don't think they really understand or care that their data has been stolen... For us sure it matters but everyone else?

I know many people who aren't IT or security minded at all who won't shop at Kmart & Target now. So I guess they do.

But is it enough to impact their sales? TJ Maxx did this stuff too, but has that stopped people shopping there? People forget really, really quickly. Investing in company reputation is often worthless as consumers just don't remember.

Dashrender

@johnhooks said:

If you just need the SSL, StartSSL offers free certs. You don't have the insurance of a paid cert, but it's still encrypted and it's still green.

what insurance would that be?

And you get green? That doesn't seem right. Green is suppose to mean extended validation. I can't imagine that StartSSL is doing that for free.