Shostack + Friends Blog Archive

 

SSL Survey over at Matasano

Jeremy Rauch over at Matasano is running a survey [link to http://www.matasano.com/log/2006/03/https-and-ssl-thoughts-and-musings.html no longer works] on how companies are using HTTPS/SSL. I encourage you to go there resond. My answers are below the cut.


* Do you use HTTPS on your internal network?
o If so, for what types of applications? All applications that contain financial or human resources data. Also all applications use SSL for logins.
o If not, do you have plans to? When?
* Do you use SSL with other applications?
o If so, what?
* If you do use HTTPS, did you decide to do this to
o Prevent sniffing? Yes
o Prevent man-in-the-middle attacks?
o Prevent host spoofing?
o Do all my identification and authorization? Yes
* Do you use client side certificates? Nope
o If so, how do you distribute these certs?
* Do you issue your own certs for internal use? Sometimes
o If so
+ Do you issue them for servers? They are used for 802.1x WiFi authentication and for logins to firewalls
+ How about client machines?
+ How are you validating these certs?
o If not
+ Do you purchase them for servers? Yes, all general use apps use purchased certs
+ How about client machines?