Re: is HTTPS crackable

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 02/18/05 

Date: Fri, 18 Feb 2005 01:45:26 -0800

Weird, I sent a reply 5 hours ago and it did not show up here. Anyways...

I am happy to see your detailed responses to the original question.

I am reserved by the user's choice of implementation and line of questioning
(willing to question HTTPS protocal security prior to questioning
OWA55/Kiosk security), not necessary Microsoft's strategy. I do not think
OWA55 is Federated, yes?

I think we are all just violently agreeing with each other. :-) 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Phil Agcaoili" <PhilAgcaoili@discussions.microsoft.com> wrote in message
news:5729FB7E-8CB6-44E8-A584-89E5AAB1B034@microsoft.com...
"David Wang [Msft]" wrote:
> No, I personally encourage you to heed Bob Christian's earlier advice and
> abandon your OWA 5.5 deployment plans.
>
> If you are asking "is HTTPS crackable" yet want to implement OWA5.5 for
> public Internet access by a kiosk, your security emphasis is seriously
> misplaced.  Kiosk access will be the weak point for several reasons (as he
> listed) and will be a far easier target than HTTPS -- yet strangely, you
are
> more concerned about HTTPS being cracked.  Hackers go for low-hanging
> fruit -- easiest exploit to get the maximum damage is the first choice.
>
> Regarding your self-signed certificate -- of course the user will be
warned
> about downloading and installing the self-signed certificate.  If they are
> not, that would be a security vulnerability in the browser to allow a
remote
> site to add trusted certificates.  Additional problems:
> 1. You presume the user can even install the self-signed certificate on
the
> kiosk (a kiosk that gives users such permissions is probably more
dangerous
> to your data security)
> 2. You also presume that making users used to installing random
certificates
> into the root store of their browser is a good security behavior.
>
> Really, the money you are saving is not worth the security risk you are
> taking on as well as the unsupported software you are investing in.
Security
> of HTTPS infrastructure is simply the least of your concerns right now.
>
> -- 
> //David
My point was addressing his original request: "implementing OWA5.5 to be
accessible on the internet"
<seeker01@gmail.com> wrote in message
news:1108451618.516937.83460@c13g2000cwb.googlegroups.com...
> Dear all,
>
> The current project that I am working on is implementing OWA5.5 to be
> accessible on the internet.
>
> The architecture model that I am thinking of proposing to the
> management is to configure ISA 2000 server (sits at the internal
> network) to accept the HTTPS packet from PIX firewall; then forward
> HTTPS to OWA & CA server (which both sits at the internal network).
>
> This model will be tested because I am not an expert on ISA yet.
>
> But what concerns me more at the moment is "HTTPS crackable" by hackers
> and how that can happen?
>
> Thank you in advanced for your help.
>
> Regards,
> Seeker
There is a high likelihood that an OWA user will access their e-mail from a
potentially hostile pc/notebook/kiosk/cybercafe system.
I have been to a lot of customers and there is a lot of press about
keyloggers loaded at public places like Kinkos and other cyber cafes:
http://tech2.nytimes.com/mem/technology/techreview.html?res=9E0CE1DD1731F934A3575BC0A9659C8B63
My point also corroborates Bob Christian's earlier advice, but I'm adding
that if seeker is building out an OWA strategy in 2005, highly consider
integrating 2-factor authentication such as SecurID (because it defeats a
keylogger at a public terminal) and an SSL VPN (because you can Webarized
many of your intranet applications using 1 project--to secure OWA).
It's funny, there's a big push within Microsoft to integrate Federated
Identity Management solutions into Web-based applications and curious why
your reservation?

Relevant Pages

  • Re: is HTTPS crackable
    ... abandon your OWA 5.5 deployment plans. ... listed) and will be a far easier target than HTTPS -- yet strangely, ... Regarding your self-signed certificate -- of course the user will be warned ... that would be a security vulnerability in the browser to allow a remote ...
    (microsoft.public.inetserver.iis.security)
  • Re: WiFi
    ... But all of this misses a point that timeOday made: the security of the internet connection itself not withstanding, all brokerage firms use encrypted web sites (https instead of http), which will give a good level of protection, the protection of the internet connection not withstanding. ...
    (comp.sys.laptops)
  • Re: HTTP Error 403.6 - Forbidden: IP address of the client has bee
    ... this allows any ip address from the internet to access your server ... port 80 closed on our firewall so all of this traffic will be over https. ... when I try to do the same thing from the Internet using the ... How can I change the security on the default web site so that any IP ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Vulnerability in Microsoft Data Access Components Allows Code Execution (MS07-009)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... this vulnerability by preventing Active Scripting and ActiveX controls ... mode sets the security level for the Internet zone to High. ...
    (Securiteam)
  • Testimony of Jeff Schmidt, CEO, Authis
    ... Examining the Security Implications of Proposed Online Gambling Regulation ... recognized expert on issues related to online identification and authentication, ... authentication, and age verification. ... individual using The Internet. ...
    (rec.gambling.poker)