Re: Http or https

Sat, 23 Nov 2002 18:33:58 -0800 

On Friday, November 22, 2002, at 04:20 PM, Chipp Walters wrote:
I got a question for all of you https users.... Exactly what do you want it
for? Please cite some examples.
We have databases of customer data that need to be searched for us to do customer support. We can live with HTTP for people on our internal LAN but we do have remote employees and they are not allowed to pass customer data via clear text. We could do a secure tunnel but setting that up and managing it would be a pain and expensive.

These database systems have internal Web server CGIs that are allowed to access them. I have really nice interfaces into this data with lots of business logic using RR. But no one outside our local LAN is allowed to use these tools until the data is encrypted when going over public networks.

We have thousands of suppliers who use our services and for now, their only access is via web browser (via HTTPS).

IOW, would it be better to have an encrypt
tool instead?
No. I do not want to be the person building encryption. If someone intercepted personal data because I was transferring it via a home brew security system, I think that would be a very bad thing for our reputation.

Next question... how much would everyone be willing to pay for an https
external?

$0
$1000

somewhere in-between?
I would not use an HTTPS external. The focus is security and the easiest way to defeat HTTPS is to build a trap door into the code. How do I know that an HTTPS external is safe to use? How do I know that it has been tested adequately? How do I know that the code I've downloaded has not been compromised (like the Sendmail version a couple months ago). As an external there is just not much that an individual can do to convince me to trust their code.

For me, HTTPS has to come with RR and it has to be backed by them. They have to fear that they will suffer a loss of reputation if there is something evil in their HTTPS code, and do enough code reviews and testing to convince themselves that they are supplying a secure set of code.

Also, I'd feel a lot better if every RR user could use and observe the RR HTTPS solution. The more users the better.

Just my paranoid 2 cents.

Kee Nethery

_______________________________________________
use-revolution mailing list
[EMAIL PROTECTED]
http://lists.runrev.com/mailman/listinfo/use-revolution

Reply via email to