Security Concerns Using Self-Signed Cert and SSL-VPN
Looking for clarification how SSL-VPN uses self-signed certificates and have two questions. 1. how secure is it sending login info to download the NetExtender client over the internet. 2. how secure is it putting the login info in NetExternder with the self-signed cert?
I noticed in videos like this one https://www.youtube.com/watch?v=sLBv8OXcqJ8 (time: 3:31) when the application is downloaded from the SonicWall device over the internet, using format https://IPaddress:4433, the self-signed certificate fails. Isn’t this a risk putting in credentials at this point? What is the risk using NetExtender with the failing self-signed cert?
Failed cert screenshot logging into SonicWall device to download NetExtender.
@works2020 did you had a look at this discussion? I guess it covers what you're looking for.
@BWC I think you forgot a link.
But just because a cert is self-signed doesn't mean the traffic the traffic isn't encrypted, because it is.
Read up: https://en.wikipedia.org/wiki/HTTPS
@TKWITS I'am deploying a bunch of Gen7 appliances at the moment, wasn't paying enough attention :)
That's the discussion from the past which might fit.
I think the main point of my post wasn't addressed, although it's nice to clarify that a self-signed cert is as secure as one from a CA.
After reading over I realize I could have worded things better. The main point I'm trying to address is I've watched plenty of how-to videos that show the cert warning, meaning logging in isn't trusted and information could be compromised. If you watch the video and go to 3:31 you'll see what I'm talking about.
The next question is without a cert from a CA and using a self-signed cert the same way it's shown in the video, is NetExtender secure? I noticed the video doesn't mention upgrading the self-signed cert to one from a CA.
Define 'secure' in the context of the new question... otherwise you're asking the same question.
With a self-signed cert that fails when going to https://ipaddress:4433 we know passwords are at risk sent in cleartext.
Does the same risk remain present when logging in using NetExtender and the same IPaddress:4433?
I just answered my own question after testing again. It's secure even when not trusted, I had this switched around in my head thinking it allowed passwords to be sent in cleartext. Note, the security alert below pops up when accessing SSL-VPN through NetExtender