Hartmut Goebel wrote: > Cédric Krier schrieb: >> On 23/10/09 18:13 +0200, Hartmut Goebel wrote: >>> Cédric Krier schrieb: >>> >>>> Maybe you mean having a configuration option that will warn (like >>>> firefox when leaving an encrypted website) if you connect to a >>>> no-SSL server. >>> No! If the company requires SSL to be used (which the admin >>> implements by activating SSL), the user *must not* be allowed (and >>> enabled) to change this. >> It is simply impossible. Any user have the possibility to configure >> or to download a version to run without any restriction. > > Correct. But in an enterprise environment users are not allowed to > install software. If the user installs the software anyway, this is > quite a different case. If some company wants to protect itself against > this case, it need to implement different measures. > > To repeat myself: The user *must not* be allowed to change the SSL setting. > > If the user would be able to switch of SSL, he could do so and would not > recognise any longer if he is talking to an intruders server. If the > user would get a warning, he will simply ignore it -- as most users do > when web-surfing. > > Trust me, I'm a trained security professional. >
Isn't an option on the server disabling non-ssl connection enough to solve this issue ? -- Bertrand Chenal B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 474 207 906 Email: [email protected] Website: http://www.b2ck.com/ --~--~---------~--~----~------------~-------~--~----~ [email protected] mailing list -~----------~----~----~----~------~----~------~--~---
