Topic: issues with self-signed CERT on 5.6

[Patrick Hickey]

I am hoping the developers can address the security issues associated with the use of self-signed SSL Certificates. I suspect a large number of the SME users are not registering themselves as businesses and thus obtaining valid/verfified Certs.

Since there is no way to verify the validity the cert, or whom you are talking to, it is easy to compromise the connection with a "Man-in-the-middle" (MITM) attack.

Unfortunately this MITM attack is already available in prepackaged hacker tools on the internet.

With a specific tool I was able to crack into https and ssh version 1 sessions. This was not done for malice, but to prove a point how easy it is.

It was able to read an ssh connection to home and an https connection to my bank!!

Yikes.

I am wondering outloud if the notion of a self-signed Cert should be re-addressed and possibly even removed?

Your thoughts?

regards,

patrick

[Bill Talcott]

You have emailed the security team at e-smith.com about this, right?

[Patrick Hickey]

No, I haven't as I do not know anyone nor do I have a specific address.

Do you have a specific address or am I to assume email to "security@" will suffice?

regards,

patrick

[Dan Brown]

smesecurity@mitel.com would be the best address.

[Patrick Hickey]

Sent.

patrick

[Tony Howden]

Hi All

I am interested to understand if your MitM attack was on a self-signed cert with or without the password option, or for that matter if this would make any difference.

One of the issues that I have is endeavouring to secure intranet systems that are not as likely to be targets as your bank maybe, but still for the sake of privacy should be more secure than the traditional open-text html. As a result for some of these smaller busineses (or almost businesses) the issue is cost vs security. Therefore it is often the case that security will be compromised in favour of saving a $1000 or whatever certs cost in your neck of the woods.

My response would be that self-signed certs are an important option for many smaller operations and to exclude this function would be detrimental to the sme server.

Mind you, I am also interested to know who your bank is

cheers
Tony