On 23/10/09 19:59 +0200, Hartmut Goebel wrote: > Cédric Krier schrieb: > > On 23/10/09 18:13 +0200, Hartmut Goebel wrote: > >> Cédric Krier schrieb: > >> > >>> Maybe you mean having a configuration option that will warn (like > >>> firefox when leaving an encrypted website) if you connect to a > >>> no-SSL server. > >> No! If the company requires SSL to be used (which the admin > >> implements by activating SSL), the user *must not* be allowed (and > >> enabled) to change this. > > > > It is simply impossible. Any user have the possibility to configure > > or to download a version to run without any restriction. > > Correct. But in an enterprise environment users are not allowed to > install software.
You can run Tryton without "installing" it. > If the user installs the software anyway, this is > quite a different case. If some company wants to protect itself against > this case, it need to implement different measures. > > To repeat myself: The user *must not* be allowed to change the SSL setting. > > If the user would be able to switch of SSL, he could do so and would not > recognise any longer if he is talking to an intruders server. If the > user would get a warning, he will simply ignore it -- as most users do > when web-surfing. First, if the company server run with SSL, the user can not connect it without SSL connection. Second, the problem is not about connecting with SSL or not but about verify the authentification of the server. It must be done like with OpenSSH who store the fingerprint of the servers with the hostname and verify for later connection that it is still the same. -- Cédric Krier B2CK SPRL Rue de Rotterdam, 4 4000 Liège Belgium Tel: +32 472 54 46 59 Email: [email protected] Jabber: [email protected] Website: http://www.b2ck.com/
pgpxbUq7Ywq35.pgp
Description: PGP signature
