It is strongly recommended that any authentication be encrypted. The preferred
method of authentication is through Sentinel. An alternative method for
authentication that is becoming more popular is Shibboleth.
SSL encryption does not prevent a man-in-the-middle attack if the web site
is recording the user name and password.
It is a good idea to ensure MSU netid authenticated web applications
use SSL encryption. However, some web applications can not use SSL for
Joe Budzyn [log in to unmask]
301 Computer Center Ph: (517) 432-7448
Michigan State University
East Lansing, MI 48824
On Wed, Apr 09, 2008 at 11:04:35AM -0400, Tom Rockwell wrote:
> Is there a requirement that websites that use netid for authentication
> be ssl encrypted, or at least perform the authentication using ssl?
> Given that several MSU websites that use netid for authentication allow
> access to personal information, I'm wary of using netid over a plain
> text link. Note that the non-encrypted site is not an official MSU site.