MSUNAG Archives

MSUNAG Archives


View:

Next Message | Previous Message
Next in Topic | Previous in Topic
Next by Same Author | Previous by Same Author
Chronologically | Most Recent First
Proportional Font | Monospaced Font

Options:

Join or Leave MSUNAG
Reply | Post New Message
Search Archives


Subject: Re: non-ssl sites using netid login?
From: Joe Budzyn <[log in to unmask]>
Reply-To:Joe Budzyn <[log in to unmask]>
Date:Wed, 9 Apr 2008 15:04:26 -0400
Content-Type:text/plain
Parts/Attachments:
Parts/Attachments

text/plain (31 lines) 


It is strongly recommended that any authentication be encrypted.  The preferred
method of authentication is through Sentinel.  An alternative method for 
authentication that is becoming more popular is Shibboleth.

SSL encryption does not prevent a man-in-the-middle attack if the web site 
is recording the user name and password.  

It is a good idea to ensure MSU netid authenticated web applications 
use SSL encryption.  However, some web applications can not use SSL for 
technical reasons.


--
Joe Budzyn                               [log in to unmask]
301 Computer Center                      Ph: (517) 432-7448
Michigan State University
East Lansing, MI 48824
 

On Wed, Apr 09, 2008 at 11:04:35AM -0400, Tom Rockwell wrote:
> Hi,
> 
> Is there a requirement that websites that use netid for authentication 
> be ssl encrypted, or at least perform the authentication using ssl?
> 
> Given that several MSU websites that use netid for authentication allow 
> access to personal information, I'm wary of using netid over a plain 
> text link.  Note that the non-encrypted site is not an official MSU site.
> 
> Thanks,
> Tom

Back to: Top of Message | Previous Page | Main MSUNAG Page

Permalink


LIST.MSU.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager