Announcement

Collapse
No announcement yet.

Security issues using .LOCAL in SAN cert

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security issues using .LOCAL in SAN cert

    We've been deploying Exchange 2007/2010 for some time now, and always used a trusted UCC/SAN cert for our Exchange deployments, to minimize headaches. All goes well.

    Recently, I read somewhere (Can't find it) that you should NOT be using .LOCAL addresses in certificates for security reasons. Now, since Microsoft could never decide on using .LOCAL or your real domain name, we always used .LOCAL. We much prefer split DNS, and we did a lot of SBS installs that always said to use .LOCAL.

    Now that most of our domains are .LOCAL and we have to include this on our UCC certs, I'm concerned about the security. Since there's no way to verify .LOCAL addresses, anyone can get one. I realize you need more than just .LOCAL address on your UCC cert, so. . . Maybe it's an overreaction, but I don't know enough about SSL man-in-the-middle and other types of attacks.

    Can anyone speak to this at all? Thanks.

  • #2
    Re: Security issues using .LOCAL in SAN cert

    I call bulls*it.
    What does it do for security? Sounds like the normal kind of paranoid stuff we get from people who want to hide the information in the headers.
    So the internal name of your network is exposed on the public facing certificate. Big deal. Not having that information will slow down an attacker for 30 seconds at most.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Security issues using .LOCAL in SAN cert

      Originally posted by DiPersiaTech View Post
      We've been deploying Exchange 2007/2010 for some time now, and always used a trusted UCC/SAN cert for our Exchange deployments, to minimize headaches. All goes well.

      Recently, I read somewhere (Can't find it) that you should NOT be using .LOCAL addresses in certificates for security reasons. Now, since Microsoft could never decide on using .LOCAL or your real domain name, we always used .LOCAL. We much prefer split DNS, and we did a lot of SBS installs that always said to use .LOCAL.

      Now that most of our domains are .LOCAL and we have to include this on our UCC certs, I'm concerned about the security. Since there's no way to verify .LOCAL addresses, anyone can get one. I realize you need more than just .LOCAL address on your UCC cert, so. . . Maybe it's an overreaction, but I don't know enough about SSL man-in-the-middle and other types of attacks.

      Can anyone speak to this at all? Thanks.
      The only way a SSL MITM attack would occur is if your SSL certificate was forged. To be honest that is highly unlikely as it has to go back up to a trusted root. Which would also mean the Public CA would be compromised.
      There is nothing wrong with exposing your domain name in the certificate as this is the intended purpose for core functionality. Either way the contents of a certificate are somewhat anecdotal to a wiley attacker if he is really intent on breaking into your network.

      Comment

      Working...
      X