Hi, Yes, using http can allow an attacker to steal a ST and try to use it before the real user (the ST can only be used once). It's a problem, but it's "just" one access / application.
Big troubles come into play if the service allows proxy because this time, the attacker could get a real SSO session. That's why by default, services are not allowed to proxy in CAS 4.0. The proxy option should be enabled only when it's *really* necessary. Best regards, Jérôme Jérôme LELEU Founder of CAS in the cloud: www.casinthecloud.com | Twitter: @leleuj Chairman of CAS: www.jasig.org/cas | Creator of pac4j: www.pac4j.org 2014-10-22 15:25 GMT+02:00 Adam Causey <[email protected]>: > I would like some feedback on how others handle services that are > non-https (i.e. http://). Do most of you allow or disallow this? > Currently we allow non-SSL sites for some services, but are considering > requiring https for everything except locahost for developers. > > How much of a security concern is this? The only thought I have is that > the Service Ticket could potentially be sniffed and used, even though there > is only a 10 second window to use the ticket. > > Thanks! > > Adam Causey > Virginia Commonwealth University > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
