Can they explain why they think security is important enough for every part of the application EXCEPT authentication/login? :-)
On Thu, Sep 8, 2011 at 9:10 AM, Bryan Wooten <[email protected]> wrote: > Thanks for the support on this. According to the vendor they have been > doing CAS for 5 years and we are the first Uni to balk at this requirement > of theirs. > > To be fair though, the http service URL redirects the user to https after > the login. They claim this is because of how they do their certificates. I > think they are just too cheap to buy certs. > > I am sticking to my guns though, it is beyond my pay grade to make a > decision that opens a security hole (heaven knows there are enough unknown > ones already). The unfortunate reality is that creates a political battle, > leads to a perception that our CAS is not ready for prime time, is difficult > to implement and slows the adoption of CAS on a wider scale. > > Cheers, > > Bryan > > -----Original Message----- > From: Andrew Petro [mailto:[email protected]] > Sent: Wednesday, September 07, 2011 4:21 PM > To: [email protected] > Subject: Re: [cas-user] Quick question re: non https service url > > Agreed. > > You might introduce your vendor to the concept of Firesheep. > > http://en.wikipedia.org/wiki/Firesheep > > Or this article: > > > http://arstechnica.com/web/news/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it.ars > > Your vendor delivering a service over http:// rather than https:// is a > bad idea, but CAS will make that bad idea no worse. > > Andrew > > > On 9/7/2011 5:00 PM, Marvin Addison wrote: > >> What are the ramifications of allowing an application to use http as > >> defined in the service manager? > > It simply means the ST will be delivered to the client over http, so > > it would be vulnerable to interception. Under normal circumstances > > the ST is single use and has a validity window measured in seconds, so > > that's a pretty small attack window. > > > >> My gut feeling says this is wrong > > Trust your gut. Lean in your vendor to do the right thing and run > > over SSL. It's not so much interception of the ST as general > > vulnerability to data theft transmitted in the clear. Why have > > authentication at all if the subsequent data provided by the app is > > easy to steal? > > > > M > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, > see http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
