Re: Do i need to got Https:// throught the website ???



Personally, I'm all in favor of using SSL for web traffic that contains any
kind of sensative data. We use that policy in our company and apply it to
nearly all of our internal web apps.

These kinds of judgements are actually not that hard to make, either. You
can actually figure out the perf hit you take and the cost associated with
providing the service from the hardware perspective. Then, just weigh that
against the security concerns. The business people can decide whether they
are willing to pay X amount more for better security and a reduced threat
model to their important data.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Ananth Ramasamy Meenachi"
<AnanthRamasamyMeenachi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2DF5628E-75CE-4731-99C4-049C07A6535A@xxxxxxxxxxxxxxxx
Hi,

I believe that one of these Certification's (SEI-CMM Level 5 Certificate,
latest ISO 9001:2000 Certificate, BS7799 Certificate and PCMM
Certificate.)
must have insisted to use SSL for Data Security in all the official
websites.
I do think that these people must have misunderstood it, by implementing
https:// through the website. Since the company has enormous bandwidth for
future expansion, they don't find any problem in encrypting and
de-encrypting
the same for about 60,000 users per day as minimum request.

I request you to provide your valuable suggestion for 60,000 user's using
https:// just for static pages and also they have implemented the same in
more then 20 website which are dynamic and used by the same users.

Ananth Ramasamy Meenachi

"Joe Kaplan" wrote:

It depends. If they use Basic authentication then it is absolutely
necessary to protect the password of the user. If they use IWA, then it
is
not necessary for that, but it may be necessary to protect the data that
they website is providing. The company may have policies which require
that
no one be able to eavesdrop on the data. I think that is totally
reasonable.

There are also some security experts who suggest that NTLM hashes are not
difficult to crack, so using NTLM without encryption is a bad idea.
Kerberos is stronger in this regard, but may not be what they are using
for
Windows auth.

Have you asked them why they use HTTPS?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Ananth Ramasamy Meenachi"
<AnanthRamasamyMeenachi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:537453A7-F9AC-49C0-8DE1-EC2D6493AFDF@xxxxxxxxxxxxxxxx
Hi All,
An organization has a website which goes with windows
authentication to access their website and this website is accessed by
their
employee around 60,000 and accessed with a frequency atleast once in a
day
or
more. They use https:// throught the website, Does is necessary ???
please
help me with supporting documents.

one more question, Can anyone hatch when i use http:// ?, should i go
for
https://?

Thanks in advance,

Ananth Ramasamy Meenachi






.



Relevant Pages