Checking with the group here on self signed certs vs wildcar Platform Engineering #security

Checking with the group here on self signed certs ...

Ashik Murthy

04/12/2023, 2:31 PM

Checking with the group here on self signed certs vs wildcard certs for public facing sub-domains. What is the preference and what is industry standard in terms of security?

Ryan Alder

04/12/2023, 2:39 PM

self-signed certs are a user experience issue. wildcard certs are fine as long as you can keep track of everywhere they are used, and make sure all those endpoints are secure. there isn't anything more inherently insecure in a wildcard cert over multiple single domain certs.

Ryan Alder

04/12/2023, 2:40 PM

there's the theoretical security concern over someone getting the key and setting it up on a new domain, but they'd also have to have access to your DNS to create that domain, or be able to do dns injection with their targets. i'm not sure how many actual real-world scenarios that's actually happened. probably more than zero, but nothing in security is zero, so 🤷

Hugo Pinheiro

04/12/2023, 2:53 PM

If i came across a public facing domain and it was self signed to me that would scream phishing or man in the middle attack, in the age of lets encrypt I dont think there is a need, even on internal sites you can use something like https://smallstep.com/

Jon Zeolla

04/12/2023, 8:30 PM

I think the industry standard is to just generate a bunch of new certificates using automation (new at least on each deploy, if not more frequently than that) and not use wildcards or self-signed, but if you need to pick between the two then @Ryan Alder nailed it There is a push to reduce the max lifetime that a browser will honor for certs to 90 days, although I'm not sure how likely it will be

8 Views

Open in Slack

Previous Next