Hi Jason, I'm not 100% sure whether there is a basic cert from Verisign that would eliminate the warnings while still not turning the banner green. I wasn't personally involved in the discussions with Verisign and went with our web administrator recommendations. I'd be surprised to hear there is a cheaper option that we could have gone with--Verisign wasn't even willing to give us a pro-rated upgrade when we swapped out hardware/sites and added a load balancer and needed new certificates issued.
Even a self-published cert will display the lock icon but in our case, we wanted to eliminate the warnings since our external customers constantly complained that our web site was "broken". Our customers were getting the "phishing" error message and recommendation "not to proceed" message. Although we were using certs issued by a trusted authority and we pushed that to all systems within our domain (which worked great for those users), we had no control over our external customers accessing the site from home and other non-domain locations. We even provided instructions for them to include our certificate authority to IE (along with the program they could run to handle it for them) but it just became too much of a hassle trying to walk all of the external customers through that process. The amount of time our Contact Center was on the phone with customers greatly exceeded the cost of the certificates--which were not cheap for multiple certificates. Agree it's a bad practice to train users to click through warnings--especially for common sites where people purposefully register similiar names to catch people who accidentally make a typing error. My point was that once the warnings are clicked-through, everything does work properly. Another option is to use other browsers--which do not have the same IE problems. In our case, that wasn't a valid choice... Recommend those interested check with Verisign and other "Microsoft Approved" authorities to see what certificate options are out there. In our case, it was cheaper to pay the annual certificate cost than the employee cost and customer concerns generated by not having them. Craig Carter RSP From: Action Request System discussion list(ARSList) [[email protected]] On Behalf Of Jason Miller [[email protected]] Sent: Monday, January 03, 2011 12:24 PM To: [email protected] Subject: Re: IS I.E 8.0 Compatible ? ** Craig, isn't the green banner triggered by an EV (Extended Validation) cert? We have a few but I was not involved in the purchasing end. It is my understanding that EV certs are considerably more expensive than a traditional basic cert. A basic cert will still show the lock icon in the browser but will not change the banner color. I think we'll see things move more and more to EV certs but if budget is a concern they should be able to get a basic cert from a well recognized issuer (Verisign) to get rid of the warning message. Craig touched on another (free) option; to have a cert issued/signed by an internal CA (Certificate Authority) that is trusted by all of computer on the domain. For example all the computers on our AD domain automatically trust one of our Domain Controllers as a CA. For some of our internal support sites we use certs issued/signed by this CA to give us the security of SSL. This works well because we do not have to worry about machines outside of our internal environment accessing these pages. Worst case if a machine not on the domain accesses the page they will receive the warning that Rajesh described and can click through it. <personal note> In general it is probably a bad practice to educate users to ignore the certificate warning (although business must go on and may be the only choice). These warnings are there for a reason and conditioning people who may not be all too Net savvy to ignore them could lead them to trouble out on the big bad Net when confronted with sites like https: //amaz0n.com or https: //b0fa.com ((note the letter "O" replaced with a zero) (intentional space between "https:" and "//")) </personal note> Jason On Mon, Jan 3, 2011 at 7:10 AM, Craig Carter <[email protected]> wrote: ** The problem you are seeing is with the Enhanced Security added in IE8. If you click through the warnings, everything will still work fine. It can be a problem though if you have customers who believe the message and refuse to click through the warnings. We've always run a secure site (https) and we ran into this when IE8 was released. IE7 had a simliar problem but was not nearly as noticeable and "in your face" with the messages. The problem is that Microsoft IE8 does not automatically accept all secure certificates as "authenticated" and will present that warning. If you have a controlled user population, you can simply add your certificate issuing authority as a trusted certificate authority in their browser configuration (for IE8) and the problem will go away. However, if you are not able to do that, your only real choices are to either educate your users or purchase certificates that are automatically accepted (like Verisign). We took the second route and although not cheap, you then get the nice green banner versus the red one and the problem goes away. This is not a BMC/Remedy problem or an HTTPS problem--it's increased security added to that browser. The only thing you can do is to use a certificate issued by an authority Microsoft has deemed worthy or add your own issuing authority to all of their browsers. Craig Carter RSP From: Action Request System discussion list(ARSList) [[email protected]] On Behalf Of Ali A. Musa [[email protected]] Sent: Monday, January 03, 2011 6:36 AM To: [email protected] Subject: Re: IS I.E 8.0 Compatible ? ** This implementation has been working for 7-years and I have upgrade to many IE 6,7,8 and none ha scaused a problem, unless you mean https:// the secure which I did not deploy. From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Nair, Rajesh SISPL Sent: Monday, January 03, 2011 3:41 PM To: [email protected] Subject: Re: IS I.E 8.0 Compatible ? ** Is their any setting you have done on IE Side.. With Best Regards Rajesh From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Ali A. Musa Sent: Monday, January 03, 2011 6:10 PM To: [email protected] Subject: Re: IS I.E 8.0 Compatible ? Its working fine with me our environment, client IE8 and Mid-tier 6.3 with jsp-engine using IIS. From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Nair, Rajesh SISPL Sent: Monday, January 03, 2011 3:25 PM To: [email protected] Subject: IS I.E 8.0 Compatible ? ** Dear List, need to know whether IE is compatible to run with ARSYTEM 6.3 with Midtier 6.3 Our Organization is made a mandate of using IE 8 on every system and while testing I found out that I am getting an error every time I open the link. There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. We are on ARSYTEM 6.3 patch 23 ITSM 5.5 and Midtier server V 6.3 patch 24 Note: Site work with Server Certificate https: Any way out of this. With Best Regards Rajesh _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"__attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
smime.p7s
Description: S/MIME cryptographic signature
