Re: is HTTPS crackable

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/17/05 

Date: Thu, 17 Feb 2005 00:46:20 -0800

No, I personally encourage you to heed Bob Christian's earlier advice and
abandon your OWA 5.5 deployment plans.

If you are asking "is HTTPS crackable" yet want to implement OWA5.5 for
public Internet access by a kiosk, your security emphasis is seriously
misplaced. Kiosk access will be the weak point for several reasons (as he
listed) and will be a far easier target than HTTPS -- yet strangely, you are
more concerned about HTTPS being cracked. Hackers go for low-hanging
fruit -- easiest exploit to get the maximum damage is the first choice.

Regarding your self-signed certificate -- of course the user will be warned
about downloading and installing the self-signed certificate. If they are
not, that would be a security vulnerability in the browser to allow a remote
site to add trusted certificates. Additional problems:
1. You presume the user can even install the self-signed certificate on the
kiosk (a kiosk that gives users such permissions is probably more dangerous
to your data security)
2. You also presume that making users used to installing random certificates
into the root store of their browser is a good security behavior.

Really, the money you are saving is not worth the security risk you are
taking on as well as the unsupported software you are investing in. Security
of HTTPS infrastructure is simply the least of your concerns right now. 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"seeker01" <seeker01@discussions.microsoft.com> wrote in message
news:6E9D6307-FFDF-44D0-A4FD-84AD5B52AC2A@microsoft.com...
Hi all,
For public workstation like Internet cafe, would the user be warned to
download the self-signed certificate? Personally would you encourage me to
force them to install the certificate on public workstation? Thank you once
again.
Seeker01
"Bob Christian" wrote:
> > Everything is crackable, given the time and money.
> I have two words for you:  squeamish ossifrage  =^)
>
> Your worry is probably not the certificate, but the system itself.  OWA
5.5
> is based upon the older Exchange 5.5 and NT4 (W2K) technology.  You
actually
> risk a greater chance of having the server hacked/cracked than you do
having
> HTTPS / SSL compromised.  Most of the NT4 hacking information is out
there,
> most of the patches are out there, and all of it is old (Rain Forest Puppy
> had a great guide for hacking your own IIS servers back in the day).
>
> In some cases you may find that your users can utilize an external machine
> (such as an internet cafe) and their keystrokes are logged.  Another item
> that you have to worry about is that the secure pages may be cached to
disk
> unsecured (internet cafe', friends house, etc) and the session may not
even
> be closed out when they leave, allowing someone to open a browser and
> connect back to your system.
>
> My suggestion is to look at an Active Directory infrastructure with
Exchange
> 2003.  Your users will really like it, as compared to Exchange 5.5 and OWA
> 5.5
>
> My $0.02,
>
> Bob
> "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
> news:4214daf6.30870068@msnews.microsoft.com...
> > On 14 Feb 2005 23:13:38 -0800, seeker01@gmail.com wrote:
> >
> > >The current project that I am working on is implementing OWA5.5 to be
> > >accessible on the internet.
> > >
> > >The architecture model that I am thinking of proposing to the
> > >management is to configure ISA 2000 server (sits at the internal
> > >network) to accept the HTTPS packet from PIX firewall; then forward
> > >HTTPS to OWA & CA server (which both sits at the internal network).
> > >
> > >This model will be tested because I am not an expert on ISA yet.
> > >
> > >But what concerns me more at the moment is "HTTPS crackable" by hackers
> > >and how that can happen?
> >
> > Everything is crackable, given the time and money.  The vulnerability
> > in your case would be a compromise of the OWA or cert server, but if
> > that's the case cracking HTTPS would be a non-issue.  Use 128 bit and
> > it's pretty much guaranteed secure from an end-to-end transmission
> > point.  As long as the rest is secure you're in no worse shape than
> > the majority of financial institutions out there.
> >
> > Jeff
>
>
>

Relevant Pages

  • Re: is HTTPS crackable
    ... (willing to question HTTPS protocal security prior to questioning ... OWA55/Kiosk security), not necessary Microsoft's strategy. ... > public Internet access by a kiosk, ... > about downloading and installing the self-signed certificate. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Administrator permissions granted on all mailboxes but one user on OWA.
    ... Can you verify that OWA is not disabled for this user, ... MCSE | M+, S+, MCTS, Security+ ... I had access to everyone's mailboxes and OWA's except ... straight https url. ...
    (microsoft.public.exchange.admin)
  • Re: OWA external access
    ... I don't think OWA will work without port 443 - it is integral to the ... security of your web server. ... I'm not running the OWA over HTTPS at the moment, ...
    (microsoft.public.windows.server.sbs)
  • [NEWS] Transparent Cache Engine and Content Engine TCP Relay Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The default configuration of the proxy ... The following Cisco Cache Engine and Content Engine products are affected ... of supported protocols such as FTP and HTTPS. ...
    (Securiteam)
  • [fw-wiz] Help- Nat-t
    ... Security of HTTPS ... > Is there some possibility of a MITM attack? ... HTTPS relies on SSL / TLS. ...
    (Firewall-Wizards)