How to get IE to stop complaining about a self-signed certificate?

exampasser

I sadly have to use IE for an MS application, and it keeps giving me that darn "There is a problem with this website's security certificate." page, I've tried several solutions that I read including adding the website to the trusted sites list and installing the certificate in the Trusted Root Certification Authorities store with no luck. The certificate does not match the site's URL (the certificate simply shows the server's FQDN which has a .local instead of the public web address) which I have read will always cause the error message to come up with IE.

aordal

Have you tried unchecking "Warn about certificate address mismatch" from Internet Options | Advanced | Security

exampasser

Thanks, that worked. I wasn't expecting that there would be a simple solution with IE.

Devilsbane

exampasser wrote: »

Thanks, that worked. I wasn't expecting that there would be a simple solution with IE.

This might ease your headache, but it could also open you up to attacks. Use with caution.

keatron

Do know that disabling this makes you VERY open to Man-in-the-middle attacks without you knowing it's going on. If someone is able to arp spoof you and successfully divert traffic between you and whatever ssl server you're communicating with to them, then they'll most likely establish an ssl sessions between them and the server and another ssl session between them and you.

Before attack:
YOU>>>>>>>>>Server

After attack
YOU>>>>>>>Attacker>>>>>>>Server.

One classic way to know this is happening when ssl is in use is the self signed cert message popping up. To make this work and be able to see your encrypted traffic, they'll have to forge a fake copy of the real web servers certificate. The only way to do this is to self sign it. So instead of verisign or another trusted CA signing it, the attacker will. This would cause you to get the popup message that complains about it being self signed. Except you just disabled it.

Sounds like a lot of the websites you're visiting uses self signed certs. But what if someone MiTM you and your bank who most likely DOES NOT use self signed certs? You know this because you don't get those popups there right? Well now you'd never know.

Just wanted to inform. But you know your annoyance vs security threshold better than anyone!

exampasser

keatron wrote: »

Do know that disabling this makes you VERY open to Man-in-the-middle attacks without you knowing it's going on. If someone is able to arp spoof you and successfully divert traffic between you and whatever ssl server you're communicating with to them, then they'll most likely establish an ssl sessions between them and the server and another ssl session between them and you.

Before attack:
YOU>>>>>>>>>Server

After attack
YOU>>>>>>>Attacker>>>>>>>Server.

One classic way to know this is happening when ssl is in use is the self signed cert message popping up. To make this work and be able to see your encrypted traffic, they'll have to forge a fake copy of the real web servers certificate. The only way to do this is to self sign it. So instead of verisign or another trusted CA signing it, the attacker will. This would cause you to get the popup message that complains about it being self signed. Except you just disabled it.

Sounds like a lot of the websites you're visiting uses self signed certs. But what if someone MiTM you and your bank who most likely DOES NOT use self signed certs? You know this because you don't get those popups there right? Well now you'd never know.

Just wanted to inform. But you know your annoyance vs security threshold better than anyone!

I know that self-signed certs run the risk of a man-in-the-middle attack. The only website I'm accessing that uses a self-signed cert is that of a small workplace server, used for RDPing into computers, (they outsource IT work to a small business that doesn't go much further than installing A/V software on computers when it comes to security.) That's really the only thing that I use IE for.

Daniel333

Can you create a hosts file entry with the correct DNS information pointing the IP address of the site? Might be better than disabling IE's security. IE has got enough problems.

RobertKaucher

Daniel333 wrote: »

Can you create a hosts file entry with the correct DNS information pointing the IP address of the site? Might be better than disabling IE's security. IE has got enough problems.

You guys understand that in this instance, when one single certificate has been added to the ignore list, the increased security risk is so small it is insignificant?

This is like an obese man who has been diagnosed with diabetes and heart disease obsessing about drinking Coke Zero because it is associated with some exceptionally rare form of cancer.

Make a C-Name in DNS.

How would this supposed man-in-the-middle be executed? A DNS entry would have to be made in their DNS servers or their HOST files would need to be modified. The attacker would need to have enough knowledge about the network to understand that the exception had been made, the cert was self-signed, and what the server was being used for so that he did not ruin the attack by making it easily detectable. He would also likely require high level access to the server's file system to get the cert in the first place.

For this to occur there would already be a much, much greater issue going on that in no way would be prevented or even slowed down by not adding an exception for a single, self-signed cert on a single box. The attacker had already announced checkmate in 3 moves!

it_consultant

Thank you Robert, I was going to point out the extreme difficulty of pulling this off. I ran across a paper a while ago that surmised that a foreign government could fake a popular website (gmail, banks, etc) and exploit the sheer number of certs that IE will accept by simply buying the same cert that was issued to say, Bank of America, from a different cert provider.

They could then target your computer by giving you false dns replies to send you to their fabricated website. This website will have to be so good that you don't realize that its not truly gmail or whatever. Then, you would put your username and password in and using SSL strip (with a hardware device surreptitiously placed in line with your network) they could crack your password and see all your traffic.

The logistics of something like this is outrageous considering its way easier to crack a password by correctly guessing the challenge questions for a password reset.

RobertKaucher

it_consultant wrote: »

Thank you Robert, I was going to point out the extreme difficulty of pulling this off. I ran across a paper a while ago that surmised that a foreign government could fake a popular website (gmail, banks, etc) and exploit the sheer number of certs that IE will accept by simply buying the same cert that was issued to say, Bank of America, from a different cert provider.

They could then target your computer by giving you false dns replies to send you to their fabricated website. This website will have to be so good that you don't realize that its not truly gmail or whatever. Then, you would put your username and password in and using SSL strip (with a hardware device surreptitiously placed in line with your network) they could crack your password and see all your traffic.

The logistics of something like this is outrageous considering its way easier to crack a password by correctly guessing the challenge questions for a password reset.

Before you spend time/money to secure your chimney so as to ensure that a chubby elf who dress in red and rides flying reindeer cannot get down it, you should first consider the probability that said elf does not even exist.

colemic

RobertKaucher wrote: »

You guys understand that in this instance, when one single certificate has been added to the ignore list, the increased security risk is so small it is insignificant?

It's not a ignore/exceptions list, it's a checkbox to either warn about certificate mismatch or don't warn about certificate mismatch.

Whether the risk is small or not, depends largely on your circumstances - in this case, he mitigates the risk by virtue of being a small workplace server, and only using IE for this purpose. If it was his everyday workhorse browser, it would be a significant risk.

Devilsbane

colemic wrote: »

It's not a ignore/exceptions list, it's a checkbox to either warn about certificate mismatch or don't warn about certificate mismatch.

Whether the risk is small or not, depends largely on your circumstances - in this case, he mitigates the risk by virtue of being a small workplace server, and only using IE for this purpose. If it was his everyday workhorse browser, it would be a significant risk.

This same check box is going to warn him if the certificate being used was issued for a different site or it it is expired. If that one page is the only one that he accesses and he mindlessly clicks continue witout looking it over then yes, the risk is small.

But if he is accessing other ssl pages as well, then he just told IE not to warn him of an attack.

RobertKaucher

Sorry guys. I consider myself schooled. I was confusing IE with FF and it's exception list. Regardless, you should only have to import the cert in IE for it to work and not force IE to allow you to get 0wned. Rep to all who corrected me.

Devilsbane

RobertKaucher wrote: »

Sorry guys. I consider myself schooled. I was confusing IE with FF and it's exception list. Regardless, you should only have to import the cert in IE for it to work and not force IE to allow you to get 0wned. Rep to all who corrected me.

Well there is another soluton. Install FF on this machine and use it for that page.