Re: SP2 and OWA

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

In news:g8spe2pbtvt0k7tl7itmtpeubsjq7pkubp@xxxxxxx,
Rich Matheisen [MVP] <richnews@xxxxxxxxxxxxxxxxxxxxx> typed:
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

[ snip ]

Okay . . . I'll bite. Why is allowing HTTP into your network less
secure than allowing HTTPS (ignoring the "sniffing passwords" bit)?

Well, I can see I inadvertently started something here,

Nope. You didn't . . . I did. I just hijacked your thread to do it.

I'll allow it this time, Mathiesen. <stern look>
^^
|
+-- ei <waves back>

Just like Old MacDonald had a farm, e-i, e-i, . . .

Unless, of course, I return to the "old country" where it's "ie".
Blame my grandfather for that misspelling.



but my first
reaction is that what you ask me to ignore is one of the main
reasons I want SSL!

That's okay, but you said allowing HHTP into your network was a risk,
not that exposing passwords was a risk (which is a given). I'm
interested in knowing how HTTP is more of a risk than HTTPS and I want
to exclude the obvious from the disscussion.

Ah, yes. I fear I am out of my depth here (I'm not much of a web server
person), so it's entirely possible I've been living in a fool's paradise,
but doesn't forcing SSL encrypt more than just the authentication process to
help protect against eavesdropping?

Sure. But that eavedropping is what makes it possible to detect
nefarious behavior. Using HTTPS hides the contents of the channel
between ther two end points (like SSL and TLS).

[ snip ]

Do they also have a web site?

Not internally hosted, no...unless it's in a DMZ, and it probably wouldn't
even be running IIS then :)

Doesn't matter. HTTP/HTTPS hasn't been appropriated by MS yet. :-P


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • Re: https confusion
    ... Can someone point me to a explanation of how https ... chance to ask the client for a certificate. ... The Firefox browser I'm running, ...
    (comp.os.linux.security)
  • Re: SP2 and OWA
    ... risk, not that exposing passwords was a risk. ... interested in knowing how HTTP is more of a risk than HTTPS and I ...
    (microsoft.public.exchange.admin)
  • Re: SP2 and OWA
    ... secure than allowing HTTPS (ignoring the "sniffing passwords" bit)? ... reasons I want SSL! ... That's okay, but you said allowing HHTP into your network was a risk, ...
    (microsoft.public.exchange.admin)
  • Re: Submitting to Ask.com
    ... Denise wrote: ... over https if they wanted to send its results. ... Google and other SE's ask that you do a removal for URI's that don't ...
    (alt.internet.search-engines)
  • Re: SP2 and OWA
    ... secure than allowing HTTPS (ignoring the "sniffing passwords" bit)? ... That's okay, but you said allowing HHTP into your network was a risk, ... MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm ...
    (microsoft.public.exchange.admin)