Hi Adam,
We've gone for the full https solution. As you have stated, once you
have any secure content, users of IE will get the mixed content
warnings, so we didn't see the advantage of just securing some of the
site. Full https doesn't seem to have had a big impact on our
performance. We haven't gone as far as using something like an F5 device
to offload SSL, but do use differing levels of encryption on secure but
completely internal connections to try and keep the system (Blackboard)
responsive.
Initially we tried a range of measures to ensure that the content was
all coming over SSL - including writing some tools to provide local,
regularly updates copies of RSS and other external content, but this
proved unmanageable in the long term. We realised we could not justify
maintaining a secured clone of the internet :~)
We've managed to mitigate against some of the mixed message problems
locally by adding the VLE to the list of trusted sites on all
institutional IE PC profiles. We also ensured we had valid certificates
from a trusted authority rather than using roll your own certs. Other
than that, it is simply a case of user education - after all it is not a
bad thing if it gets people thinking about where the content is actually
coming from.
I would advise, though, to keep your opening page all SSL content, as
otherwise some users may (rightly) raise concerns about entering their
login credentials.
Hope that helps,
Malcolm.
---
Dr Malcolm Murray
Learning Technologies Team Leader
IT Service
Durham University
-----Original Message-----
From: Virtual Learning Environments [mailto:[log in to unmask]] On
Behalf Of Adam Marshall
Sent: Monday, May 18, 2009 12:24 PM
To: [log in to unmask]
Subject: [VLES] is your VLE's URL http or https ?
We're not sure whether to run our VLE as http or https.
If we use https then obviously all content is encrypted and we can use
secure cookies meaning the likelihood of man-in-the-middle attacks or
session stealing are very low indeed.
However, there is a huge drawback in that if somebody embeds a You Tube
video, or flickr photo-stream or the like (which can only be accessed by
http) then MS Internet Explorer throws up scary looking warnings about
the
page containing 'secure and non-secure items' causing some users to
panic
and others to think that the VLE is somehow at fault.
Using http means that such messages don't appear but that session
stealing
or man-in-the-middle attacks are a lot more likely.
We could allow both http and https but this doesn't stop session
stealing or
man-in-the-middle attacks at all.
Basically it's a no-win situation unless you ban people from using
Internet
Explorer which would be an admirable stance but which would never happen
in
practice!
What approach have other institutions taken?
Adam
--
Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN.
The upcoming new WebLearn service: http://beta.weblearn.ox.ac.uk
Shameless plug: http://www.myspace.com/wheresthebeachmusic
Cheese of the month: Double Gloucester - shouldnt be overlooked!
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave
vle
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle
|