Brent Chapman made the following keystrokes: >Gene raises valid considerations, but I think they miss the point in this >particular circumstance. > >If you don't want to use SSL, don't publish https://... URLs. If you >publish https://... URLs, make sure your certs are correct (i.e., that they >haven't expired, that you have wildcard certs if needed, etc.). > >LOPSA could fix this in either of two ways: fix the certs, or fix the URLs. > The latter doesn't address the URLs that they've already published; >therefore, I'd say that the former is the preferable fix. > >It reflects badly on us (LOPSA) that we don't get this right, and damages >our credibility; it's a fundamental sysadmin thing. >-Brent
I disagree. I did indicate that it's up to the business to determine if leading by example is worth the expense. You seem to think it is. I do not think it matters for many of the reasons that I put in the message. To me it's a sign that money is being spent to fill in a check box on power point slide for people that really don't understand the situation but have been convinced it's needed by cert vendor lobbyists. Changing the URLs to NOT use SSL sets a much worse example in that you are now putting something that should be safe and secure like a login session over a clear text protocol. Use of an SSL is to encrypt the traffic between the 2 end points. This encryption can, if done at secure levels keep the actual bit out of view of people sitting in the middle and sniffing traffic. Since you are putting passwords through the system and having a login page, it's best to use SSL. It looks much worse to have a login page without SSL. Without the SSL, various places along the way can sniff the traffic. How many of you remember running password grabbers on a shared media. The SuperComputing conference still has a wall of shame for current attendees sending their password over insecure protocols like pop, rlogin, ftp, and telnet. --Gene _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
