|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Do i need to got Https:// throught the website ???Hi All,
An organization has a website which goes with windows authentication to access their website and this website is accessed by their employee around 60,000 and accessed with a frequency atleast once in a day or more. They use https:// throught the website, Does is necessary ??? please help me with supporting documents. one more question, Can anyone hatch when i use http:// ?, should i go for https://? Thanks in advance, Ananth Ramasamy Meenachi It depends. If they use Basic authentication then it is absolutely
necessary to protect the password of the user. If they use IWA, then it is not necessary for that, but it may be necessary to protect the data that they website is providing. The company may have policies which require that no one be able to eavesdrop on the data. I think that is totally reasonable. There are also some security experts who suggest that NTLM hashes are not difficult to crack, so using NTLM without encryption is a bad idea. Kerberos is stronger in this regard, but may not be what they are using for Windows auth. Have you asked them why they use HTTPS? Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Ananth Ramasamy Meenachi" <AnanthRamasamyMeena***@discussions.microsoft.com> wrote in message news:537453A7-F9AC-49C0-8DE1-EC2D6493AFDF@microsoft.com... > Hi All, > An organization has a website which goes with windows > authentication to access their website and this website is accessed by > their > employee around 60,000 and accessed with a frequency atleast once in a day > or > more. They use https:// throught the website, Does is necessary ??? please > help me with supporting documents. > > one more question, Can anyone hatch when i use http:// ?, should i go for > https://? > > Thanks in advance, > > Ananth Ramasamy Meenachi > NTLM is trivial to hack giving mediocre password quality - so yes SSL is
required here too. --- Dominick Baier, DevelopMentor http://www.leastprivilege.com Show quoteHide quote > It depends. If they use Basic authentication then it is absolutely > necessary to protect the password of the user. If they use IWA, then > it is not necessary for that, but it may be necessary to protect the > data that they website is providing. The company may have policies > which require that no one be able to eavesdrop on the data. I think > that is totally reasonable. > > There are also some security experts who suggest that NTLM hashes are > not difficult to crack, so using NTLM without encryption is a bad > idea. Kerberos is stronger in this regard, but may not be what they > are using for Windows auth. > > Have you asked them why they use HTTPS? > > Joe K. > Hi,
I believe that one of these Certification’s (SEI-CMM Level 5 Certificate, latest ISO 9001:2000 Certificate, BS7799 Certificate and PCMM Certificate.) must have insisted to use SSL for Data Security in all the official websites. I do think that these people must have misunderstood it, by implementing https:// through the website. Since the company has enormous bandwidth for future expansion, they don’t find any problem in encrypting and de-encrypting the same for about 60,000 users per day as minimum request. I request you to provide your valuable suggestion for 60,000 user's using https:// just for static pages and also they have implemented the same in more then 20 website which are dynamic and used by the same users. Ananth Ramasamy Meenachi Show quoteHide quote "Joe Kaplan" wrote: > It depends. If they use Basic authentication then it is absolutely > necessary to protect the password of the user. If they use IWA, then it is > not necessary for that, but it may be necessary to protect the data that > they website is providing. The company may have policies which require that > no one be able to eavesdrop on the data. I think that is totally > reasonable. > > There are also some security experts who suggest that NTLM hashes are not > difficult to crack, so using NTLM without encryption is a bad idea. > Kerberos is stronger in this regard, but may not be what they are using for > Windows auth. > > Have you asked them why they use HTTPS? > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Ananth Ramasamy Meenachi" > <AnanthRamasamyMeena***@discussions.microsoft.com> wrote in message > news:537453A7-F9AC-49C0-8DE1-EC2D6493AFDF@microsoft.com... > > Hi All, > > An organization has a website which goes with windows > > authentication to access their website and this website is accessed by > > their > > employee around 60,000 and accessed with a frequency atleast once in a day > > or > > more. They use https:// throught the website, Does is necessary ??? please > > help me with supporting documents. > > > > one more question, Can anyone hatch when i use http:// ?, should i go for > > https://? > > > > Thanks in advance, > > > > Ananth Ramasamy Meenachi > > > > > Personally, I'm all in favor of using SSL for web traffic that contains any
kind of sensative data. We use that policy in our company and apply it to nearly all of our internal web apps. These kinds of judgements are actually not that hard to make, either. You can actually figure out the perf hit you take and the cost associated with providing the service from the hardware perspective. Then, just weigh that against the security concerns. The business people can decide whether they are willing to pay X amount more for better security and a reduced threat model to their important data. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Ananth Ramasamy Meenachi" <AnanthRamasamyMeena***@discussions.microsoft.com> wrote in message news:2DF5628E-75CE-4731-99C4-049C07A6535A@microsoft.com... > Hi, > > I believe that one of these Certification's (SEI-CMM Level 5 Certificate, > latest ISO 9001:2000 Certificate, BS7799 Certificate and PCMM > Certificate.) > must have insisted to use SSL for Data Security in all the official > websites. > I do think that these people must have misunderstood it, by implementing > https:// through the website. Since the company has enormous bandwidth for > future expansion, they don't find any problem in encrypting and > de-encrypting > the same for about 60,000 users per day as minimum request. > > I request you to provide your valuable suggestion for 60,000 user's using > https:// just for static pages and also they have implemented the same in > more then 20 website which are dynamic and used by the same users. > > Ananth Ramasamy Meenachi > > "Joe Kaplan" wrote: > >> It depends. If they use Basic authentication then it is absolutely >> necessary to protect the password of the user. If they use IWA, then it >> is >> not necessary for that, but it may be necessary to protect the data that >> they website is providing. The company may have policies which require >> that >> no one be able to eavesdrop on the data. I think that is totally >> reasonable. >> >> There are also some security experts who suggest that NTLM hashes are not >> difficult to crack, so using NTLM without encryption is a bad idea. >> Kerberos is stronger in this regard, but may not be what they are using >> for >> Windows auth. >> >> Have you asked them why they use HTTPS? >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Ananth Ramasamy Meenachi" >> <AnanthRamasamyMeena***@discussions.microsoft.com> wrote in message >> news:537453A7-F9AC-49C0-8DE1-EC2D6493AFDF@microsoft.com... >> > Hi All, >> > An organization has a website which goes with windows >> > authentication to access their website and this website is accessed by >> > their >> > employee around 60,000 and accessed with a frequency atleast once in a >> > day >> > or >> > more. They use https:// throught the website, Does is necessary ??? >> > please >> > help me with supporting documents. >> > >> > one more question, Can anyone hatch when i use http:// ?, should i go >> > for >> > https://? >> > >> > Thanks in advance, >> > >> > Ananth Ramasamy Meenachi >> > >> >> >> 
Other interesting topics
how to add "Authorization: Basic" for a web service call
Winform: Call a vbscript with elevated privileges FullTrust on network drive Why am I getting errors when I want to rebuild the TreeView contro Login error when opening a deployed project User creation.... Forms Authentication with Active Directory, login control crashes Security Exception Is there a function that I can call to validate a domain? IE C# ActiveX without permissons |
|||||||||||||||||||||||
