Thanks for the support on this. According to the vendor they have been doing CAS for 5 years and we are the first Uni to balk at this requirement of theirs.
To be fair though, the http service URL redirects the user to https after the login. They claim this is because of how they do their certificates. I think they are just too cheap to buy certs. I am sticking to my guns though, it is beyond my pay grade to make a decision that opens a security hole (heaven knows there are enough unknown ones already). The unfortunate reality is that creates a political battle, leads to a perception that our CAS is not ready for prime time, is difficult to implement and slows the adoption of CAS on a wider scale. Cheers, Bryan -----Original Message----- From: Andrew Petro [mailto:[email protected]] Sent: Wednesday, September 07, 2011 4:21 PM To: [email protected] Subject: Re: [cas-user] Quick question re: non https service url Agreed. You might introduce your vendor to the concept of Firesheep. http://en.wikipedia.org/wiki/Firesheep Or this article: http://arstechnica.com/web/news/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it.ars Your vendor delivering a service over http:// rather than https:// is a bad idea, but CAS will make that bad idea no worse. Andrew On 9/7/2011 5:00 PM, Marvin Addison wrote: >> What are the ramifications of allowing an application to use http as >> defined in the service manager? > It simply means the ST will be delivered to the client over http, so > it would be vulnerable to interception. Under normal circumstances > the ST is single use and has a validity window measured in seconds, so > that's a pretty small attack window. > >> My gut feeling says this is wrong > Trust your gut. Lean in your vendor to do the right thing and run > over SSL. It's not so much interception of the ST as general > vulnerability to data theft transmitted in the clear. Why have > authentication at all if the subsequent data provided by the app is > easy to steal? > > M > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
