> I think they are just too cheap to buy certs.
What do certificates have to do with it? CAS doesn't itself doesn't
make requests to the service URL except for single sign-out callbacks,
and I guess I'd be surprised if the vendor is sophisticated enough to
want those callbacks yet not sophisticated enough to value SSL at login
(or to be willing and able to provide you a public key to their SSL cert).
Andrew
On 9/8/2011 9:10 AM, Bryan Wooten wrote:
Thanks for the support on this. According to the vendor they have been doing
CAS for 5 years and we are the first Uni to balk at this requirement of theirs.
To be fair though, the http service URL redirects the user to https after the
login. They claim this is because of how they do their certificates. I think
they are just too cheap to buy certs.
I am sticking to my guns though, it is beyond my pay grade to make a decision
that opens a security hole (heaven knows there are enough unknown ones
already). The unfortunate reality is that creates a political battle, leads to
a perception that our CAS is not ready for prime time, is difficult to
implement and slows the adoption of CAS on a wider scale.
Cheers,
Bryan
-----Original Message-----
From: Andrew Petro [mailto:[email protected]]
Sent: Wednesday, September 07, 2011 4:21 PM
To: [email protected]
Subject: Re: [cas-user] Quick question re: non https service url
Agreed.
You might introduce your vendor to the concept of Firesheep.
http://en.wikipedia.org/wiki/Firesheep
Or this article:
http://arstechnica.com/web/news/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it.ars
Your vendor delivering a service over http:// rather than https:// is a bad
idea, but CAS will make that bad idea no worse.
Andrew
On 9/7/2011 5:00 PM, Marvin Addison wrote:
What are the ramifications of allowing an application to use http as
defined in the service manager?
It simply means the ST will be delivered to the client over http, so
it would be vulnerable to interception. Under normal circumstances
the ST is single use and has a validity window measured in seconds, so
that's a pretty small attack window.
My gut feeling says this is wrong
Trust your gut. Lean in your vendor to do the right thing and run
over SSL. It's not so much interception of the ST as general
vulnerability to data theft transmitted in the clear. Why have
authentication at all if the subsequent data provided by the app is
easy to steal?
M
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
