Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column
Wiki Markup

{float:side=right|border=0|width=40%}{include:Snippet - Disclaimer}{float}
{section}{column}
h3. SSL Certificates
{excerpt}SSL certificates are digital signatures that websites can use to prove their authenticity and provide their users with privacy, via encryption.{excerpt} Banking websites, Tufts [webmail|https://exchange.tufts.edu/], and many other Tufts services use SSL certificates signed by {link-window:http://en.wikipedia.org/wiki/Certificate_authority|tip=Certificate Authorities at Wikipedia}Certificate Authorities{link-window} (CAs) to prove their identity to browsers (which in turn have been preconfigured to trust a limited set of CAs).
{column:width=5%}
\\  
{column} {column} !certificate.png! {column}{section} h3. Personal Information Sites or applications that process or access [Personal Information|201 CMR 17#PI] must require SSL. Browsers that do not request SSL should be redirected to the SSL port (the entire session - not just the login - must be encrypted). SSL certificates must be signed by a CA. Legacy systems that process or access PI must obtain and deploy a CA-signed certificate as soon as possible. {section}{column} !password.png! {column}{column:width=5%} \\ {column}{column} h3. LDAP or AD Login Sites that use LDAP or AD (LAN) credentials to authenticate users must require SSL. Browsers that do not request SSL should be redirected to the SSL port. New systems should have a CA-signed certificate from the start; any old systems that have self-signed or manufacturer-provided certificates should be phased into valid, CA-signed certificates at the next opportunity. Some websites only encrypt the authentication portion of the connection to save processing power; avoid this temptation, and encrypt the entire session if at all possible. {column}{section} h3. Self-Signed Certificates Self-signed certificates are not recommended. Self-signed certificates do allow the connection to be encrypted, but do not provide any guarantee that the encrypted connection is with the correct server. Anyone can create a self-signed certificate that is functionally identical to any other self-signed cert, so there is no guarantee of privacy or authenticity. CA-signed certificates do guarantee that the site is authentic and that the connection is private. If you must use a self-signed certificate on a test system, you should not connect to it from off-campus, because your connection is susceptible to man-in-the-middle attacks and could be intercepted by a third party. Self-signed certs should not be used on any new production systems. It's highly recommended to build certificate assignment into your deployment process. Old production systems that have self-signed certificates should be phased into CA-signed certificates at the next opportunity. {htmlcomment:hidden=true} h3. Get a CA-signed Certificate UIT can [coordinate|https://docs.usg.tufts.edu/public/sslgeo.php] the purchase of an SSL certificate signed by GeoTrust. {htmlcomment}
Column

Image Added

Personal Information

Sites or applications that process or access Personal Information must require SSL. Browsers that do not request SSL should be redirected to the SSL port (the entire session - not just the login - must be encrypted). SSL certificates must be signed by a CA. Legacy systems that process or access PI must obtain and deploy a CA-signed certificate as soon as possible.

Section
Column

Image Added

Column
width5%


Column

LDAP or AD Login

Sites that use LDAP or AD (LAN) credentials to authenticate users must require SSL. Browsers that do not request SSL should be redirected to the SSL port. New systems should have a CA-signed certificate from the start; any old systems that have self-signed or manufacturer-provided certificates should be phased into valid, CA-signed certificates at the next opportunity. Some websites only encrypt the authentication portion of the connection to save processing power; avoid this temptation, and encrypt the entire session if at all possible.

Self-Signed Certificates

Self-signed certificates are not recommended. Self-signed certificates do allow the connection to be encrypted, but do not provide any guarantee that the encrypted connection is with the correct server. Anyone can create a self-signed certificate that is functionally identical to any other self-signed cert, so there is no guarantee of privacy or authenticity. CA-signed certificates do guarantee that the site is authentic and that the connection is private. If you must use a self-signed certificate on a test system, you should not connect to it from off-campus, because your connection is susceptible to man-in-the-middle attacks and could be intercepted by a third party.

Self-signed certs should not be used on any new production systems. It's highly recommended to build certificate assignment into your deployment process. Old production systems that have self-signed certificates should be phased into CA-signed certificates at the next opportunity.

HTML Comment
hiddentrue

Get a CA-signed Certificate

UIT can coordinate the purchase of an SSL certificate signed by GeoTrust.