Secure OWA with SSL

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

hey guys,

do any of you use your own CA for this, or do you buy SSL certs?

Whats the benefit in using paid for instead of settign upi your own CA?

Daniel

 

We use Verisign, which means anyone hacks in they are responsible and not us as they provide the encryption.

Also, if your Users will be logging in from home they will not have any issues as Verisign is a Trusted Publisher.

If you use your own CA, then the main difference would be you are responsible and cannot point the finger at anyone else. Your Users (unless they have logged into the Domain on there PC or you have setup Autoenrolment for VPN usage) will not trust the CA automatically. Could just tell them to check the Certificate is from 'x' and if so then go ahead to emails.

 

Thanks for the replies guys!

Don't know why our OWA has never had SSL set up (actually i do know why but probably not best to post on a forum where person in question may come across it)

Only now i am getting the confidence to start speaking up about this sort of thing to try and get it fixed! Are most providers the same price range in your experience? On the vendors sites there are many different options for certificates, any recommendations on a particular certificate to get?

Thanks again
Daniel

 

Generally speaking:

If the site or service is going to be internet facing, use well known 3rd party certs.

If you are securing sites or services where you control all computers and communications, user self signed.

For example, when I set up Outlook Web Access for my employees to use from home, I use a cert from Verisign. However; when I secure SSL/TLS communications between multi-tiered internal servers, I use self signed because I control all the systems.

Each has its place and its application and its advantages. However; I will say this, certs exist for two reasons:

1) Authenticate that the server is who it says it is
2) Encrypt the communications between that server and it's client.

While it's often possible to configure it, my opinion would be that we should never use untrusted/self-signed certs because it results in a higher probability of data/authentication credential compromise.

J.

 

Thanks, will pitch those GoDaddy certs to my boss when he gets back! (once i have told him what SSL is lol)