2015/11/01

SSL Test Certificate Bleed

Many of the people I have worked with will know of my distaste for self signed SSL certificates in test environments. Once you have built a tool to generate and distribute these 'cruft' flakes they invariably spread. The worst case scenario is if these certs end up in your production environment. The real question to ask is will developers take the path of least resistance and skip SSL validation.

I have always advocated using genuine certificates for all build environments. This approach is usually resisted with the vigor of a grad dev defending his favourite language. I don't know why. With a little planning it is easy to use a subdomain, with implementation costs typically in the double digits per year. Usually the argument has more to do with resistance to fixing something that 'works'.

The recent news of symantec accidentally releasing test certificate is a really good counter case. This is one test environment that really should use a self signed cert. The Web needs security and the certificate issuance companies could be the weakest link.

No comments:

Post a Comment