ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Topics
    2. Tags
    3. ssl
    Log in to post
    • All categories
    • Reid CooperR

      SSL Decryption of American K12 School in Connecticut: Legality?

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion security ssl ssl decryption
      3
      1 Votes
      3 Posts
      1k Views
      scottalanmillerS

      @Obsolesce said in SSL Decryption of American K12 School in Connecticut: Legality?:

      Here are some points to consider:

      Consent and Notification: It's essential to have explicit consent from parents or legal guardians if students are minors. Even if students are not employees, they still have privacy rights. Proper notification to both students and parents is crucial.

      FERPA Compliance: The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. Any monitoring should be in compliance with FERPA regulations to avoid violations.

      Children's Online Privacy Protection Act (COPPA): If the school is providing online services or websites to students under the age of 13, COPPA may come into play. It requires obtaining parental consent for collecting personal information from children.

      Vendor Liability: If a breach of student private communications occurs due to IT or vendor mistakes, there could be potential liability issues. Schools should have agreements in place with vendors that address data security and liability.

      Local and State Laws: Laws regarding electronic surveillance, data privacy, and education can vary by state and locality. It's important to consult with legal experts who are knowledgeable about local regulations.

      Balancing Security and Privacy: Schools must strike a balance between ensuring network security and respecting student privacy. An overly intrusive monitoring system could raise concerns.

      Ultimately, it's crucial to consult with legal counsel who specializes in education law and data privacy to ensure that the school system's practices comply with all applicable laws and regulations. Additionally, a transparent and well-documented approach to monitoring, including clear notification to students and parents, can help mitigate potential legal risks.

      This is good input. Ultimately liability is going to come down to primarily local laws and statutes and what the legal department of the district has done to ensure safety and indemnification, and of course what transparency, notification and consent has been granted. That students are required to attend school, are not employees or at will, and are minors make this not just different, but essentially the opposite, of an employment situation. Any breach of privacy (not meaning a breach of IT systems, but the IT systems themselves) could violate constitutional rights as well as international human rights...

      From a law firm on US right to privacy... "The right to privacy is a fundamental human right, and it is recognized by international treaties and many countries’ Constitutions. The Universal Declaration of Human Rights recognizes the right to privacy in Article 12, and the International Covenant on Civil and Political Rights further elaborates on the right to privacy in Article 17.

      At the same time, different countries have different laws and regulations when it comes to privacy. In the United States, for example, the Fourth Amendment to the Constitution protects citizens from unreasonable searches and seizures by the government. This has been interpreted by the courts to include the right to privacy."

      Even if students are not minors, the question is whether this constitutes unreasonable search leading to violation of privacy. And of course if it puts minors at risk, that's an additional concern.

    • OksanaO

      A Self-Signed Certificate Instead of Default ESXi SSL: A 101 Introduction

      Watching Ignoring Scheduled Pinned Locked Moved Starwind starwind ssl esxi vmware
      1
      1 Votes
      1 Posts
      517 Views
      No one has replied
    • OksanaO

      Microsoft Certificate Server: Automatic Enrollment!

      Watching Ignoring Scheduled Pinned Locked Moved Starwind microsoft active directory ssl
      1
      1 Votes
      1 Posts
      615 Views
      No one has replied
    • DustinB3403D

      IIS subdomain redirect to HTTPS

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl iis redirect subdomain
      8
      0 Votes
      8 Posts
      1k Views
      dbeatoD

      @DustinB3403 If it is not DNS, firewall is always a problem lol. Nice find.

    • 1

      SSL/TLS client certificates questions

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl tls certificate https proxy linux mtls
      9
      0 Votes
      9 Posts
      2k Views
      1

      @flaxking said in SSL/TLS client certificates questions:

      Domain name doesn't matter, unless you're signing with a public CA. I'd think self-signed vs internal CA vs public CA would depend on what the authentication mechanism supports and how you have to manage the certificates. (i.e. if there are going to be a ton of them it might be easier for the authentication mechanism just to trust certificates signed by a certain internal CA rather than having to make each certificate trusted.

      From what I've seen so far, I've come to the same conclusion.

    • gjacobseG

      NextCloud SSL Cert

      Watching Ignoring Scheduled Pinned Locked Moved Unsolved IT Discussion nc nextcloud ssl lets encrypt hostmonster
      7
      0 Votes
      7 Posts
      1k Views
      JaredBuschJ

      @scottalanmiller said in NextCloud SSL Cert:

      @JaredBusch hard to resist the call of the Natty Light.

      I ran out of Blue Moon.

    • JaredBuschJ

      How to use a Cloudflare origin certificate on an Azure App

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion origin certificate ssl cloudflare azure
      1
      4 Votes
      1 Posts
      817 Views
      No one has replied
    • scottalanmillerS

      Dovecot error:140760FC

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion dovecot email tls ssl pop3 starttls
      4
      0 Votes
      4 Posts
      1k Views
      wrx7mW

      Date/Time issue?

    • JaredBuschJ

      Setup a Cloudflare Origin Certificate for use on a backend server

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion cloudflare origin certificate ssl
      18
      2 Votes
      18 Posts
      3k Views
      scottalanmillerS

      @FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:

      @scottalanmiller said in Setup a Cloudflare Origin Certificate for use on a backend server:

      @FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:

      noob question here:
      If you're hosting on Cloudflare, this should be used instead of LE?

      Not about "should", it's about which makes more sense for you in a given situation.

      "could" would probably have been a better word choice.

      Yup, you definitely can 🙂

    • DustinB3403D

      No matter what the website is it needs to have SSL setup

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl https
      2
      -2 Votes
      2 Posts
      581 Views
      DashrenderD

      Didn't we have one of these threads last year?

      tags - please?

    • scottalanmillerS

      Converting CRT and PEM files to RSA

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl trend micro imsva openssl rsa godaddy certs
      7
      0 Votes
      7 Posts
      2k Views
      scottalanmillerS

      Found this which didn't help, but could be a useful reference in the future...

      OpenSSL Convert PEM
      Convert PEM to DER

      openssl x509 -outform der -in certificate.pem -out certificate.der

      Convert PEM to P7B

      openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

      Convert PEM to PFX

      openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

      OpenSSL Convert DER
      Convert DER to PEM

      openssl x509 -inform der -in certificate.cer -out certificate.pem

      OpenSSL Convert P7B
      Convert P7B to PEM

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

      Convert P7B to PFX

      openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

      openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

      OpenSSL Convert PFX
      Convert PFX to PEM

      openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

    • scottalanmillerS

      Standard Email Ports and Protocols

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion email mta mda smtp pop3 imap imap4 imaps smtps starttls tls ssl
      1
      1 Votes
      1 Posts
      684 Views
      No one has replied
    • IRJI

      NGINX Reverse Proxy Help - Error code: SSL_ERROR_RX_RECORD_TOO_LONG

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion kibana nginx ssl reverse proxy
      4
      1 Votes
      4 Posts
      3k Views
      IRJI

      @black3dynamite said in NGINX Reverse Proxy Help - Error code: SSL_ERROR_RX_RECORD_TOO_LONG:

      In the server block, add ssl_protocols TLSv1.2; and reload nginx

      no joy. Incognito mode did not work either.

    • scottalanmillerS

      Fedora 29 Apache HTTPD Keeps Adding ssl.conf

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion linux fedora fedora 29 apache httpd ssl
      13
      0 Votes
      13 Posts
      2k Views
      scottalanmillerS

      @dafyre said in Fedora 29 Apache HTTPD Keeps Adding ssl.conf:

      Have you tried creating a blank ssl.conf file and then chmod +i ssl.conf ?

      I've not, but that's such a hockie way of doing it, I was hoping not to.

    • DustinB3403D

      Do you setup SSL for Intranet websites only

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl internal websites
      27
      0 Votes
      27 Posts
      4k Views
      ObsolesceO

      @dustinb3403 said in Do you setup SSL for Intranet websites only:

      Near-zero value in someone attacking is what I meant. Not a zero-value in what is provided by the systems. Also there is nothing confidential or needing "security" from a business perspective, which is why I ask is SSL worth it for these types of Intranet sites?

      You need SSL for everything period. Even if it's a self-signed cert it's fine... just allow the exception in the web browser and be done, or use an internal certificate if your browsers are set to trust the root... or a domain wildcard cert would work just fine. It's easy to do.

      You could set out a reverse proxy for use with Let's Encrypt, and use the reverse proxy for all of your internal-only web servers. On the reverse proxy, you can limit each site config to only pass internal IPs only. That's what I did for a few. For example, if you add this in:

      allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all;

      It will not proxy anything unless it comes from an internal IP.

    • scottalanmillerS

      Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ssl ssl certificates lets encrypt iis windows windows server acme ssl wildcard
      19
      5 Votes
      19 Posts
      17k Views
      scottalanmillerS

      @phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

      @scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

      Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

      One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

      Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

      It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.

      Got it thanks. Looks like a bit of a learning curve then. 🙂

      It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way 🙂 And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."

    • dbeatoD

      Ubiquiti Unifi Video SSL Certificate

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion ubnt unifi video ssl
      1
      2 Votes
      1 Posts
      820 Views
      No one has replied
    • DustinB3403D

      XOCE and Let's Encrypt

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion xen orchestra community certbot lets encrypt ssl https
      10
      0 Votes
      10 Posts
      3k Views
      DustinB3403D

      And this person has a full guide https://xcp-ng.org/forum/topic/3775/xen-orchestra-from-source-with-let-s-encrypt-certificates

    • AdamFA

      IIS Security setup

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion iis powershell security ssl
      17
      0 Votes
      17 Posts
      3k Views
      AdamFA

      @psx_defector said in IIS Security setup:

      Best practice isn't up to date.

      Set it to PCI 1.2, that disables TLS1.0, all the AES stuff, etc. etc. You can also disable them manually in the first screen.

      Great, thanks.

    • wirestyle22W

      Generating CSR for RDS server using Subdomain

      Watching Ignoring Scheduled Pinned Locked Moved IT Discussion csr rds ssl tls certificate
      3
      1 Votes
      3 Posts
      1k Views
      wirestyle22W

      I had some confusion because of the age of the old CSR. It doesn't line up with the correct dates. I'll edit my original post when I know more.

    • 1
    • 2
    • 3
    • 1 / 3