We highly recommend you use SSL. But in fact, we don't necessarily enforce it because, well, we can't tell you what to do ;-)
That said, its important to note that *even if* you don't use SSL and someone steals that ticket they can only access that application for the duration of that session (since once that session expires they need to re-log in). A man in the middle attack on one application does not compromise the password OR any other services (unless the application proxies into other applications). If you think the documentation would benefit from more explicit documentation about SSL, please add some. We'll review what you've added. Thanks, Scott On Tue, Feb 23, 2010 at 9:23 AM, n99 <[email protected]> wrote: > > Thanks > Could I add that maybe the wiki mentions something about the reasons behind > good practise of SSL in services? > > We've recently advised an external supplier to use a CAS client against our > CAS server and they have pulled up up on the fact that "in fact on page 5 > of > the CAS protocol specification, the example service url paramter is > http%3A%2F%2Fwww.service.com......." > > I myself only really thought about the issue after reading posts to the > cas-user mailing list. :) > > Kind regards > > nomit > -- > View this message in context: > http://n4.nabble.com/protecting-the-cas-service-ticket-from-man-in-the-middle-attacks-tp1561525p1565946.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
