Question: SSL Certificates

ReferrerCheap Charlie on 04/08/2017 - 17:54
Last edited 04/08/2017 - 18:33 by 1 other user

I am chasing down an issue, I am hoping the brain trust here may have some knowledge on the subject.

Essentially we have a Wireless Hotspot which manages 60 odd WAPs.
The WAPs are unsecured
Guests connect to the network via a WAP
When a browser is launched, the browser is redirected to an internal domain log in page.
Without authentication, web access is blocked.

The problem we are facing is some devices flag the internal domain, and will not allow the redirection.
Ideally the system would auto launch a log in screen upon connection to the network.
Unfortunately, from what I can see the system in place (Netcomm HS1200N) does not offer/support this feature?

The system has the option of adding a SSL certificate, which I believe will resolve the issue.
I have almost zero knowledge about SSL certs.
The system recommends a VeriSign certificate, however they are $749 p.a.

Any recommendations for a budget SSL supplier?
A google search lists endless options, however I have no idea how reputable these certs. are.

Can I get away with a cheap cert, such as this $5.99 p.a cert from GoDaddy?
TL:DR I need a cheap, reputable SSL Cert.

Thanks in Advance

Internet

Comments

  • scotty on 04/08/2017 - 18:03
    +2

    budget SSL supplier

    Let's Encrypt — $0. Might be a bit fiddly to set up especially for internal network where names cannot be resolved publicly.

    • [Deactivated] on 04/08/2017 - 18:15

      Is it a trusted certificate authority on microsoft/apple browsers? I didn't see those logos on the website.

      • [Deactivated] on 05/08/2017 - 03:09
        +1

        LE certs are cross-signed by IdenTrust so they are compatible with older browsers

    • Cheap Charlie on 04/08/2017 - 18:32

      Thanks Scotty.
      I see your point. They require demonstrate of controling the domain to issue a cert.
      There may be an opportunity via https://certbot.eff.org/.

      Thank you for your input, I am learning a lot tonight.

  • airzone on 04/08/2017 - 18:09

    Guests as in random people off the street / customers, or as your staff?

    Internal domain like mywifistuff.coolcompany.com or as in wifistuff.local

    I use godaddy certs for work. They're cheap and mostly used for internal systems.

    • Cheap Charlie on 04/08/2017 - 18:25

      Guests as in random people off the street / customers, or as your staff?

      Guests, accommodation

      Internal domain like mywifistuff.coolcompany.com or as in wifistuff.local

      The internal domain is configurable, it would appear that we can set any domain name and configuration we so desire.

      I use godaddy certs for work. They're cheap and mostly used for internal systems.

      Excellent, thank you for the ffedback, they seem well priced.

      My concern at this point, I am guessing cert suppliers are going to require that I can demonstrate control of the domain.
      As the domain is internal, I am thinking there may be associated challenges there.

      • airzone on 04/08/2017 - 21:01

        The default option is to put a text record in the DNS zone file.. If you own the domain name externally, it's straight forward, and you can use it on an internal system just fine.

        e.g. I have a wildcard *.mycompany.com and put something on my external dns zone file (done through your domain name registrar). Then I can have internal/external things like mail.mycompany.com, external things like vpn.mycompany.com and internal things like intranet.mycompany.com all trusted with the same cert. n.b. I am using a split DNS at work to resolve *.mycompany.com addresses to internal addresses where 8.8.8.8 would normally resolve to either nothing or a public IP address.

        If you're stuck for a domain name, just pick something random. And obviously a single domain cert is cheaper than a wildcard, so set up in your registrar's zone file mysubdomain.cheaprandomdomain.com and use that as your internal name. Fiddling your DNS might be the trick though, especially if you don't have an internal DNS server..

  • [Deactivated] on 04/08/2017 - 18:13

    I don't think the SSL certificate will solve your problem.

    You can generate your own SSL certificate without paying anything - just download the open ssl library.

    When you use the self generated certificate, your browser will warn you that the certificate isn't signed by a trusted authority (eg verisign, godaddy). You can configure your browser to trust your self-signed certificate if the warning bothers you.

    Once you've tested with a self-signed certificate, try buying a godady certificate. I believe most modern browsers have godaddy has a trusted root certificate authority, so there's no need to accept godaddy as a trusted certificate signer, as you had to with the self-signed certificate.

    Buying the verisign certificate probably isn't worth it, there's probably only a few places that would only trust godaddy over verisign these days (eg government, military, etc)

    • Cheap Charlie on 04/08/2017 - 18:28

      Excellent, thank you for the knowledge.

      When you use the self generated certificate, your browser will warn you that the certificate isn't signed by a trusted authority (eg verisign, godaddy). You can configure your browser to trust your self-signed certificate if the warning bothers you.

      The system is for guests access, accommodation.
      The GoDaddy cert may be the go, I will just have to determine what their requirements are to issue a cert and if I can achieve said requirements, being an internal domain.

      Thanks again

      • [Deactivated] on 04/08/2017 - 18:43

        https://www.digicert.com/internal-names.htm

        I think you might have to pony up for an internet domain name too, even if the services aren't available on the internet … no biggie, only another $8

        This is why I don't think an SSL certificate will solve your problems.

        • Cheap Charlie on 04/08/2017 - 19:11

          This is why I don't think an SSL certificate will solve your problems.

          Excuse my lack of knowledge on the subject, an I right in thinking the main issue is that the internal domain is not HTTPS?
          In gaining a SSL, the internal domain can be recognised as a HTTPS?

          I think you might have to pony up for an internet domain name too, even if the services aren't available on the internet … no biggie, only another $8

          Am I reading this right, register a domain name identical to that of my internal domain name, in order to achieve a SSL Cert?
          Am I likely to face any challenges relating to my internal domain not being located/hosted at the same IP?

        • Cheap Charlie on 04/08/2017 - 19:31

          I think I get what your saying now.

          I would need to secure a domain name.
          Point the domain to the servers IP.
          Ensure the HotSpot server is using s Fully Qualified Domain Names
          Generate a CSR for the domain name, and then request the certificate.

          Have I got that right?

        • [Deactivated] on 04/08/2017 - 20:30

          @Cheap Charlie:

          https://security.stackexchange.com/questions/136290/enterpri…

          That's a good description of your problem. So I think a certificate signed by GoDaddy should solve the problems.

        • peterpeterpumpkin on 05/08/2017 - 11:47

          @Cheap Charlie:

          Before I continue, I'm assuming you're using modern devices/browsers and your hotspot has the latest firmware.

          Getting an SSL certificate can help, but probably won't solve all of your issues. Firstly, modern browsers will still inform the user of the re-direct even with a recognised SSL certificate. But your real problem is HTTP Strict Transport Security (HSTS), as used by Facebook and Google. This may prevent anyone getting to your SSL log-in page at all. Modern browsers and operating systems use heuristics to detect hotspots (e.g. by pinging a special URL) and will circumvent this issue (Android gives a hotspot login alert). But sometimes hotspot detection is too slow or fails, or the user doesn't know about the feature or uses fancy obscure browsers.

          To overcome this issue, some hotspot administrators block https to enforce a failure but the user without a hotspot notification will have to know to visit a non-https website - or in the case you have an SSL cert, a non-hsts website (since browsers may remember SSL from browsing history even if https isn't entered).

          Of course, you could give users your log-in page but this makes the process more complicated. A generic, memorable non-https website was especially setup for this issue: http://neverssl.com/, but it's not too different to using the log-in page to begin with.

          Update: I just read that non-https doesn't work for you anyway in Edge. Oh well… :)

        • Cheap Charlie on 05/08/2017 - 12:02

          @peterpeterpumpkin:

          Excellent information!
          New firmware was released a few weeks ago. I have pushed the update out this morning.
          Monitoring feedback on access presently.

          Blocking HTTPS is a good recommendation, however as you mention Guest would then need to be informed to hit a non HTTPS URL, such as cnn.com.
          As network users are greatly varied in their understanding of tech and ability to follow instructions, I would still expect significant feedback regarding access.

          We did take the step off informing guests of the internal url for log in purposes.
          We still found that some browsers still will not access the internal url, most notably Edge.

          Would I be right in assuming we are limited by the gateways hotspots software?

        • peterpeterpumpkin on 05/08/2017 - 12:17

          @Cheap Charlie: It seems to be browser specific, so perhaps it's a browser-specific security related issue? If you haven't tried it yet, I suppose getting an SSL-certified fully-qualified domain name is worth testing since you could use it afterwards anyway. Unfortunately I didn't find anything from a quick Google search though.

  • sly on 04/08/2017 - 21:17

    If you're not comfortable with using Let's Encrypt, https://www.gogetssl.com/domain-validation/domain-ssl/ cost you USD4.90 / year (~AUD6.15), goDaddy is AUD6.59 with GST ;).

    • [Deactivated] on 05/08/2017 - 03:11

      There is no reason to be uncomfortable with using Lets Encrypt

    • peterpeterpumpkin on 05/08/2017 - 10:16

      Just regarding GoDaddy, I would never suggest them since so many people forget to turn off auto-renewal and end up paying $99.99 for a year of standard SSL!

      • Cheap Charlie on 05/08/2017 - 11:37

        Good tip for new players.
        Thank you.

        At this point, it would appear a cert will not resolve the access issues.

  • mshanann on 05/08/2017 - 01:33

    What you have setup is known as a captive portal. https://en.wikipedia.org/wiki/Captive_portal

    Hotels and public wifi often will present the end-user with a login page before they can begin to utilize the internet. The MAC address and IP of the client is basically checked, and if it hasn't been seen before/validated, then the goal is to present them a login screen or equivalent.

    It is historically implemented using a combination of DNS techniques and HTTP redirection (302) - which worked perfectly fine for interception of regular HTTP pages.

    The issue these days is most websites (ozbargain included) google/facebook etc require a HTTPS connection. You cannot spoof a HTTPS page without a legitimate certificate that is trusted by the client - by trusted, the certificate chain must be present in the client's trust store. A self-signed certificate won't solve your issue, nor will purchase of a paid certificate. You will get browser security warning popups if you attempt to present the client with a certificate that is not trusted or valid for the target. The only way around is it to install the cert in the client trust store (which won't happen!). This is essentially man in the middle style configuration, which is often used by big enterprises to allow them to view their employees https traffic. As the big enterprise own the desktops, they can directly add custom certificates to the trust store. In your case however, you don't own the client's device - so you cannot add a cert.

    What you want to look in to is RFC7710 - which essentially allows as part of client DHCP request for IP address and DNS assignment, is that information be returned back to the client that identifies that the network requires captive portal login.

    Read this:
    http://community.arubanetworks.com/t5/Technology-Blog/Captiv…

    • Cheap Charlie on 05/08/2017 - 11:48

      Well, from every thing I have read you are spot on.

      Looks like we are limited by the HotSpot Gateways OS.
      NetComm released new firmware 2 weeks ago, which I have pushed out this morning.
      The release notes briefly mention improved comparability for browsers.
      Monitoring guest access feedback with the new firmware.

      MS Edge is 100% problematic for access.
      Ignoring the security warning is not an option in Edge and hitting a non HTTPS URL such as cnn.com still blocks the redirection.

      If access continues to be an issue, I am really not sure what direction to head in.
      It would appear NetComm are aware of the issue.

Login or Join to leave a comment
Login Join