Re: is HTTPS crackable
From: Phil Agcaoili (PhilAgcaoili_at_discussions.microsoft.com)
Date: 02/17/05
- Next message: JRG: "NTLM and IIS 6"
- Previous message: Leneise44: "IIS and Web services"
- In reply to: David Wang [Msft]: "Re: is HTTPS crackable"
- Next in thread: David Wang [Msft]: "Re: is HTTPS crackable"
- Reply: David Wang [Msft]: "Re: is HTTPS crackable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Feb 2005 14:31:03 -0800
"David Wang [Msft]" wrote:
> No, I personally encourage you to heed Bob Christian's earlier advice and
> abandon your OWA 5.5 deployment plans.
>
> If you are asking "is HTTPS crackable" yet want to implement OWA5.5 for
> public Internet access by a kiosk, your security emphasis is seriously
> misplaced. Kiosk access will be the weak point for several reasons (as he
> listed) and will be a far easier target than HTTPS -- yet strangely, you are
> more concerned about HTTPS being cracked. Hackers go for low-hanging
> fruit -- easiest exploit to get the maximum damage is the first choice.
>
> Regarding your self-signed certificate -- of course the user will be warned
> about downloading and installing the self-signed certificate. If they are
> not, that would be a security vulnerability in the browser to allow a remote
> site to add trusted certificates. Additional problems:
> 1. You presume the user can even install the self-signed certificate on the
> kiosk (a kiosk that gives users such permissions is probably more dangerous
> to your data security)
> 2. You also presume that making users used to installing random certificates
> into the root store of their browser is a good security behavior.
>
> Really, the money you are saving is not worth the security risk you are
> taking on as well as the unsupported software you are investing in. Security
> of HTTPS infrastructure is simply the least of your concerns right now.
>
> --
> //David
My point was addressing his original request: "implementing OWA5.5 to be
accessible on the internet"
<seeker01@gmail.com> wrote in message
news:1108451618.516937.83460@c13g2000cwb.googlegroups.com...
> Dear all,
>
> The current project that I am working on is implementing OWA5.5 to be
> accessible on the internet.
>
> The architecture model that I am thinking of proposing to the
> management is to configure ISA 2000 server (sits at the internal
> network) to accept the HTTPS packet from PIX firewall; then forward
> HTTPS to OWA & CA server (which both sits at the internal network).
>
> This model will be tested because I am not an expert on ISA yet.
>
> But what concerns me more at the moment is "HTTPS crackable" by hackers
> and how that can happen?
>
> Thank you in advanced for your help.
>
> Regards,
> Seeker
There is a high likelihood that an OWA user will access their e-mail from a
potentially hostile pc/notebook/kiosk/cybercafe system.
I have been to a lot of customers and there is a lot of press about
keyloggers loaded at public places like Kinkos and other cyber cafes:
http://tech2.nytimes.com/mem/technology/techreview.html?res=9E0CE1DD1731F934A3575BC0A9659C8B63
My point also corroborates Bob Christian's earlier advice, but I'm adding
that if seeker is building out an OWA strategy in 2005, highly consider
integrating 2-factor authentication such as SecurID (because it defeats a
keylogger at a public terminal) and an SSL VPN (because you can Webarized
many of your intranet applications using 1 project--to secure OWA).
It's funny, there's a big push within Microsoft to integrate Federated
Identity Management solutions into Web-based applications and curious why
your reservation?
- Next message: JRG: "NTLM and IIS 6"
- Previous message: Leneise44: "IIS and Web services"
- In reply to: David Wang [Msft]: "Re: is HTTPS crackable"
- Next in thread: David Wang [Msft]: "Re: is HTTPS crackable"
- Reply: David Wang [Msft]: "Re: is HTTPS crackable"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
