Re: is http mail secure?
From: Steve Carr (scarr_at_bastyr.edu.NOSPAM)
Date: 03/04/05
- Next message: BJ McGowan: "Exchange mailboxes and aliases"
- Previous message: Al Mulnick: "Re: Front-End server question"
- In reply to: Bill Brehm: "Re: is http mail secure?"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 3 Mar 2005 16:29:13 -0800
To save yourself a bunch of money, you could use one of two methods:
1. you could set up your own certificate authority on your domain and then
use IIS to request a certificate from
there. The downsides are that you would have to manage this (you really need
to take time to sit down and understand this to make sure it is set up
correctly) and you would have to give the certificate of the Certificate
Authority to all of you clients (employees etc) to add to their trusted root
certificate cache on any workstation they plan to use (or set up a way to
publish it to the web which is more work still). If you have a bunch of
time, this is a good option.
2. There are some cheap or free certificate authorities out there that you
can track down (I don't remember any off hand) to issue you a certificate.
Some may have their Certificate Authority (or Root) preloaded in IE (or
Firefox for that matter) and some may not. If they don't, you are back to
giving the Root Certificate out to everyone to install.
If none of this sounds appealing (as bad as paying ~$250-$300 a year) then
you could just make sure your authentication method in IIS is NTLM instead
of Basic or Anonymous. That way at least your username and password are
encrypted (I think Firefox can now handle NTLM so you won't be forced to
just use IE). Of course that means all your data (email content) is not
encrypted so any content can be sniffed for info.
Does that help?
Let me know if you need more info
P.S. - you could also get a cheap or free certificate and not worry about
your employees having the Root Authorities certificate to test against. This
way when they first go to the site they may get a notice saying that the
Root is unknown, and then it will ask them if they want to continue and they
can just say yes.
P.S.S - a certificate is a public encryption key used by your browser to
start a handshake with a webserver to assure encrytped traffic
"Bill Brehm >" <<don't want any spam> wrote in message
news:el7buR7HFHA.3472@TK2MSFTNGP09.phx.gbl...
> I've looked at the help and at the websites, but I don't quite get it.
>
> What exactly is a cert? Is it a password or a piece of encyption code or a
> license for something? It seems to cost a lot of money. Why do I have to
buy
> this from some company? Can't I (or Windows) create a cert without going
to
> a third party company?
>
> When you say only IE users can get there, do you mean it wouldn't work
with
> other browsers? That would be okay, because all my users use IE.
>
> Thanks.
>
> "Steve Carr" <scarr@bastyr.edu.NOSPAM> wrote in message
> news:uFvUU22HFHA.2276@TK2MSFTNGP15.phx.gbl...
> > get a cetificate for your server (from Verisign, Thawte etc) and install
> > and
> > then use https. You can do this by going into IIS and going to the
> > Properties of the Virtual Site, selecting the Security tab and clicking
on
> > Certificates at bottom. Create a request, save it as a txt file and then
> > follow directions at the Certificate Authority you pick.
> > If you don't, nothing is encrypted (unless you use integrated security,
> > then
> > your password is encrypted but only IE users can get there) so it is
highl
> > recommended to get a cert and go to https
> >
> > "Bill Brehm >" <<don't want any spam> wrote in message
> > news:OsmTkAwHFHA.4060@TK2MSFTNGP14.phx.gbl...
> >> Exchange 2000 running on Windows 2000.
> >>
> >> I recently discovered and want to enable HTTP access to the exchange
> > server
> >> for our people on the road. I can get it to work, but I'm worried about
> >> security. I can access by http://myIPaddress/Exchange. There is no
little
> >> lock at the bottom telling me it's secure. I cannot access with https.
Is
> >> the data going over the internet encrypted? Is the username and
password
> >> encrypted?
> >>
> >> I know I could force them to VPN into our network then HTTP from
within.
> > But
> >> that's a bit complicated for some of our users. Aside from that, how
can
> >> I
> >> make sure it's secure?
> >>
> >> Thanks,
> >>
> >> Bill
> >>
> >>
> >
> >
>
>
- Next message: BJ McGowan: "Exchange mailboxes and aliases"
- Previous message: Al Mulnick: "Re: Front-End server question"
- In reply to: Bill Brehm: "Re: is http mail secure?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
