It is strongly recommended that any authentication be encrypted. The preferred method of authentication is through Sentinel. An alternative method for authentication that is becoming more popular is Shibboleth. SSL encryption does not prevent a man-in-the-middle attack if the web site is recording the user name and password. It is a good idea to ensure MSU netid authenticated web applications use SSL encryption. However, some web applications can not use SSL for technical reasons. -- Joe Budzyn [log in to unmask] 301 Computer Center Ph: (517) 432-7448 Michigan State University East Lansing, MI 48824 On Wed, Apr 09, 2008 at 11:04:35AM -0400, Tom Rockwell wrote: > Hi, > > Is there a requirement that websites that use netid for authentication > be ssl encrypted, or at least perform the authentication using ssl? > > Given that several MSU websites that use netid for authentication allow > access to personal information, I'm wary of using netid over a plain > text link. Note that the non-encrypted site is not an official MSU site. > > Thanks, > Tom