Versions Compared

Version Old Version 22 New Version Current
Changes made by

elena.ryazanova

Edward Ned Harvey

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SSL Certificates

Excerpt
Wiki Markup
SSL certificates are digital signatures that websites can use to prove their authenticity and provide their users with privacy, via encryption. Banking websites, Tufts [webmail|https://exchange.tufts.edu/], and many other Tufts services use SSL certificates signed by {link-window:http://en.wikipedia.org/wiki/Certificate_authority|tip=Certificate Authorities at Wikipedia}Certificate Authorities{link-window} (CAs) to prove their identity to browsers (which in turn have been preconfigured to trust a limited set of CAs).

...

width5%

...

Column
Wiki Markup

{float:right|border=none}
{float}

Personal Information

Sites or applications that process or access Personal Information must require SSL. Browsers that do not request SSL should be redirected to the SSL port (the entire session - not just the login - must be encrypted). SSL certificates must be signed by a trusted CA. Legacy systems that process or access PI must obtain and deploy a CA-signed certificate as soon as possible.

...

Column

Image Removed

...

width5%
Column

LDAP (Enterprise Directory or Active Directory Binding)

Sites that use Tufts username and Tufts Password to authenticate users must require SSL. Browsers that do not request SSL should be redirected to the SSL port. New systems should have a CA-signed certificate from the start; any old systems that have self-signed or manufacturer-provided certificates should be phased into valid, CA-signed certificates at the next opportunity. Some websites only encrypt the authentication portion of the connection to save processing power; avoid this temptation, and encrypt the entire session if at all possible.

Self-Signed Certificates

Self-signed certificates are not recommended. Self-signed certificates do allow the connection to be encrypted, but do not provide any guarantee that the encrypted connection is with the correct server. Anyone can create a self-signed certificate that is functionally identical to any other self-signed cert, so there is no guarantee of privacy or authenticity. CA-signed certificates do guarantee that the site is authentic and that the connection is private. If you must use a self-signed certificate on a test system, you should not connect to it from off-campus, because your connection is susceptible to man-in-the-middle attacks and could be intercepted by a third party.

Self-signed certs should not be used on any new production systems. It's highly recommended to build certificate assignment into your deployment process. Old production systems that have self-signed certificates should be phased into CA-signed certificates at the next opportunity.

HTML Comment
hiddentrue

Get a CA-signed Certificate

UIT can coordinate the purchase of an SSL certificate signed by GeoTrust.

Known Issues with CA-signed Certificates

...

This content has been moved to /wiki/spaces/EnterpriseSystems/pages/89464056