Jacco Landlust and I have been presenting together for a few years now, mostly around building robust and secure Fusion Middleware platforms. One point that we have made every single year has been to set up SSL/TLS properly, which means using freshly-created certificates and not doing silly things like disabling hostname verification in WebLogic.
There’s nothing at all controversial in this approach – in fact I attended a presentation at OpenWorld 2014 given by Will Hopkins, Oracle’s WebLogic Security Architect, where he too said the same thing:
WebLogic makes it pretty obvious that this isn’t recommended behaviour in its log too:
<Alert> <Security> <BEA-090152> <Demo trusted CA certificate is being used in production mode: The system is vulnerable to security attacks, since it trusts certificates signed by the demo trusted CA.> <Security> <...> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1413115751661> <BEA-090152> <Demo trusted CA certificate is being used in production mode: Version: V3 Subject: CN=CACERT, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.1135126.96.36.199
Then, over a drink at the DOAG 2014 conference in November, Jacco and I were both lamenting the fact that we’d seen demo certificates in use in production again this year, and thought we needed a better way to get the message across… so we came up with this idea for a T-shirt!
Needless to say we had a bit of debate about whether this was leaving the system unlocked, giving out a master key, wearing a blindfold, etc, but I think this phrase that Jacco came up with was most catchy alternative!
Oh, and in case it wasn’t obvious…
(With thanks to Lonneke for taking the photos!)