Agreed that if you are going to have external machines beyond your IT system's control then the only way to go is with a Verisign cert.
Jason On Mon, Jan 3, 2011 at 12:23 PM, Craig Carter < [email protected]> wrote: > ** > Hi Jason, > > I'm not 100% sure whether there is a basic cert from Verisign that would > eliminate the warnings while still not turning the banner green. I wasn't > personally involved in the discussions with Verisign and went with our web > administrator recommendations. I'd be surprised to hear there is a cheaper > option that we could have gone with--Verisign wasn't even willing to give us > a pro-rated upgrade when we swapped out hardware/sites and added a load > balancer and needed new certificates issued. > > Even a self-published cert will display the lock icon but in our case, we > wanted to eliminate the warnings since our external customers constantly > complained that our web site was "broken". Our customers were getting the > "phishing" error message and recommendation "not to proceed" message. > Although we were using certs issued by a trusted authority and we pushed > that to all systems within our domain (which worked great for those users), > we had no control over our external customers accessing the site from home > and other non-domain locations. We even provided instructions for them to > include our certificate authority to IE (along with the program they could > run to handle it for them) but it just became too much of a hassle trying to > walk all of the external customers through that process. The amount of time > our Contact Center was on the phone with customers greatly exceeded the cost > of the certificates--which were not cheap for multiple certificates. > > Agree it's a bad practice to train users to click through > warnings--especially for common sites where people purposefully register > similiar names to catch people who accidentally make a typing error. My > point was that once the warnings are clicked-through, everything does work > properly. > > Another option is to use other browsers--which do not have the same IE > problems. In our case, that wasn't a valid choice... Recommend those > interested check with Verisign and other "Microsoft Approved" authorities to > see what certificate options are out there. In our case, it was cheaper to > pay the annual certificate cost than the employee cost and customer concerns > generated by not having them. > > Craig Carter > RSP > > ------------------------------ > *From:* Action Request System discussion list(ARSList) [ > [email protected]] On Behalf Of Jason Miller [[email protected]] > *Sent:* Monday, January 03, 2011 12:24 PM > > *To:* [email protected] > *Subject:* Re: IS I.E 8.0 Compatible ? > > ** Craig, isn't the green banner triggered by an EV (Extended Validation) > cert? We have a few but I was not involved in the purchasing end. It is my > understanding that EV certs are considerably more expensive than a > traditional basic cert. A basic cert will still show the lock icon in the > browser but will not change the banner color. I think we'll see things move > more and more to EV certs but if budget is a concern they should be able to > get a basic cert from a well recognized issuer (Verisign) to get rid of the > warning message. > > > Craig touched on another (free) option; to have a cert issued/signed by an > internal CA (Certificate Authority) that is trusted by all of computer on > the domain. For example all the computers on our AD domain automatically > trust one of our Domain Controllers as a CA. For some of our internal > support sites we use certs issued/signed by this CA to give us the security > of SSL. This works well because we do not have to worry about machines > outside of our internal environment accessing these pages. Worst case if a > machine not on the domain accesses the page they will receive the warning > that Rajesh described and can click through it. > > <personal note> > In general it is probably a bad practice to educate users to ignore the > certificate warning (although business must go on and may be the only > choice). These warnings are there for a reason and conditioning people who > may not be all too Net savvy to ignore them could lead them to trouble out > on the big bad Net when confronted with sites like https: //amaz0n.com or > https: //b0fa.com ((note the letter "O" replaced with a zero) (intentional > space between "https:" and "//")) > </personal note> > > Jason > > On Mon, Jan 3, 2011 at 7:10 AM, Craig Carter < > [email protected]> wrote: > >> ** >> The problem you are seeing is with the Enhanced Security added in IE8. If >> you click through the warnings, everything will still work fine. It can be >> a problem though if you have customers who believe the message and refuse to >> click through the warnings. >> >> We've always run a secure site (https) and we ran into this when IE8 was >> released. IE7 had a simliar problem but was not nearly as noticeable and >> "in your face" with the messages. >> >> The problem is that Microsoft IE8 does not automatically accept all secure >> certificates as "authenticated" and will present that warning. If you >> have a controlled user population, you can simply add your certificate >> issuing authority as a trusted certificate authority in their browser >> configuration (for IE8) and the problem will go away. However, if you are >> not able to do that, your only real choices are to either educate your users >> or purchase certificates that are automatically accepted (like Verisign). >> We took the second route and although not cheap, you then get the nice green >> banner versus the red one and the problem goes away. >> >> This is not a BMC/Remedy problem or an HTTPS problem--it's increased >> security added to that browser. The only thing you can do is to use a >> certificate issued by an authority Microsoft has deemed worthy or add your >> own issuing authority to all of their browsers. >> >> Craig Carter >> RSP >> >> >> ------------------------------ >> *From:* Action Request System discussion list(ARSList) [ >> [email protected]] On Behalf Of Ali A. Musa [[email protected]] >> *Sent:* Monday, January 03, 2011 6:36 AM >> >> *To:* [email protected] >> *Subject:* Re: IS I.E 8.0 Compatible ? >> >> ** >> >> This implementation has been working for 7-years and I have upgrade to >> many IE 6,7,8 and none ha scaused a problem, unless you mean https:// the >> secure which I did not deploy. >> >> *From:* Action Request System discussion list(ARSList) [mailto: >> [email protected]] *On Behalf Of *Nair, Rajesh SISPL >> *Sent:* Monday, January 03, 2011 3:41 PM >> *To:* [email protected] >> *Subject:* Re: IS I.E 8.0 Compatible ? >> >> ** >> >> Is their any setting you have done on IE Side.. >> >> With Best Regards >> >> *Rajesh * >> ------------------------------ >> >> *From:* Action Request System discussion list(ARSList) [mailto: >> [email protected]] *On Behalf Of *Ali A. Musa >> *Sent:* Monday, January 03, 2011 6:10 PM >> *To:* [email protected] >> *Subject:* Re: IS I.E 8.0 Compatible ? >> >> Its working fine with me our environment, client IE8 and Mid-tier 6.3 with >> jsp-engine using IIS. >> >> *From:* Action Request System discussion list(ARSList) [mailto: >> [email protected]] *On Behalf Of *Nair, Rajesh SISPL >> *Sent:* Monday, January 03, 2011 3:25 PM >> *To:* [email protected] >> *Subject:* IS I.E 8.0 Compatible ? >> >> ** >> >> Dear List, >> >> need to know whether IE is compatible to run with ARSYTEM 6.3 with Midtier >> 6.3 >> >> Our Organization is made a mandate of using IE 8 on every system and while >> testing I found out that I am getting an error every time I open the link. >> >> >> There is a problem with this website's security certificate. >> >> >> >> >> >> The security certificate presented by this website was issued for a >> different website's address. >> Security certificate problems may indicate an attempt to fool you or >> intercept any data you send to the server. >> >> >> We recommend that you close this webpage and do not continue to this >> website. >> >> >> >> We are on ARSYTEM 6.3 patch 23 ITSM 5.5 and Midtier server V 6.3 patch >> 24 >> >> Note: Site work with Server Certificate https: >> >> Any way out of this. >> >> With Best Regards >> >> *Rajesh* >> >> ** >> >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"__attend >> WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ >> > > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
