I hope this come out readable - mixing contextual posting with Microsoft
HTML could be a recipe for disaster! :-)
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ryan
Whitney
Sent: Friday, 19 September 2008 00:13
To: Mifos functional discussions
Subject: Re: [Mifos-functional] To SSL Cert or not to SSL Cert
On 9/18/08 11:31 AM, "Graeme Ruthven" <[EMAIL PROTECTED]> wrote:
I've said it before and I'll say it again: Any system that sends passwords
and personal and financial data over the Internet in plaintext is not
production ready. Sorry Mifos.
I'm a little confused, has anyone ever stated they will not being using some
form of secure communication? The question I was posing was whether we
should pay for a third party to certify our security cert or just certify
our own, and definitely not proposing we don't use SSL at all ;)
My point is that Mifos is insecure "out of the box" and I may have hijacked
your point to make mine.
What would be nice for me is to have SSL offered as a configuration option
when installing Mifos. One day I'll get around to putting in the time to
working out how to configure Tomcat for this.
I brought up the topic with some friends and there were some mixed responses
about it, but at the heart of it, getting a third party to certify is a lot
more secure than signing your own.
I agree.
CACert (www.cacert.org) issues free certificates, which should be affordable
to most MFIs.
...
Thanks for the detailed info! We'll definitely keep it in mind (and looking
at the archives, looks like we already discussed this once ;)). That said,
I thought about it more and I still have a lot of reservations on relying on
SSL alone. With that in mind, the Network person here is going to look at
and evaluate OpenVPN (www.openvpn.net), which I believe both you and
Gbolahan have setup. If that doesn't look like it'll work, we'll probably
fall back on SSL and go with the CACert.
Feel free to contact me if you think I can help. Bear the time difference in
mind - I'm on UTC +1200, shortly to be UTC +1300 when daylight saving
starts.
BTW, Graeme, did you ever finish your OpenVPN HOWTO you were talking about?
Yep. <http://tinyurl.com/4y3kky> http://tinyurl.com/4y3kky Let me know if
you spot anything that needs changing.
At a quick glance, I think I should split it in to two pages. One with the
instructions only and a second with the discussion...
The Register had a good article at the beginning of September, aimed more at
the Windows environment: <http://tinyurl.com/6k2l3a>
http://tinyurl.com/6k2l3a
Regards
Graeme
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mifos-functional mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-functional
