Thursday, October 14, 2004

What's up with Self-Signed certificates? Why do we need 'em?

Security is important. We all know this, but how can we get the best security and keep our wallets fat?

SBS 2003 provides the ability to create and self-sign it's own certificate.
Why is this good?
If you try to purchase a signed certificate from Verisign today, you're looking at over $600 for a .cer file!!!! that's crazy, just to get 128-bit encryption. SBS gives you similar security included in the price of the server.
Why is this bad?

  • Any user browsing to your SSL website will get a security pop-up complaining the site is not trusted by a trusted authority

  • Some SmartPhone 2002 devices will never synchronize against the server

So how do Certificates work?
Windows (and mobile devices) ship with major root certificates built into the root certificate store. Curious as to which ones there are? Check 'em out:

  • Start, Run, mmc.exe

  • File, Add/remove snap-in...

  • Click the Add button on the Standalone tab

  • Choose the certificates for the computer account

  • Choose the local computer & OK out of the boxes

  • Back in the MMC snap-in, expand the Trusted Root Certificate Authorities and then click on Certificates

On the rigth hand side, you can see all the certificates that your PC currently trusts.

When you purchase a certificate from one of these companies, once they have verified you are who you say you are (and you're not a spy), they issue you a certificate. Placing this certificate on your website, will have browsers check:

  • The certificate is still valid and hasn't expired

  • The certificate name matches the website you are trying to visit

  • The root certificate from the website matches a root certificate already in the local store

If one of these items fails, the user will get a pop-up and be asked if they want to continue, continuing will use the certificate for 128 bit encryption.

What's this problem with SmartPhones?
I get asked this question a lot, so I wanted to clairfy this. SmartPhone 2002 OS does not understand the type of certificate SBS creates, and cannot be added to the phone. Pocket PC Phone Edition can be configured to work using KB 322956. On the SmartPhone, you have to disable the certificate verification. This will still use SSL for the connection, but will just not verify the 3 items mentioned above before performing the sync.

I still say the benefits to the 2003 devices, over the certificate issues are worth the upgrade. Verizon and AT&T bot can upgrade the Samsung and M200 devices to 2003, so have it done!

And now you know how certificates work.

2 comments:

Nick Whittome said...

Sean, what about Windows Mobile 5 devices...?

The disable verification tool does not seem to work with Activesync 4.

Sean Daniel said...

We're aware of the problem and in the process of putting some documentation online. When I get it, I'll be sure to post it here.

Good news is signed certs are CHEAP!