| -----Original Message----- | From: Virtual Learning Environments [mailto:[log in to unmask]] On Behalf | Of MURRAY M.R. | Sent: 18 May 2009 13:14 | To: [log in to unmask] | Subject: Re: [VLES] is your VLE's URL http or https ? | | Hi Adam, | | We've gone for the full https solution. As you have stated, once you | have any secure content, users of IE will get the mixed content | warnings, so we didn't see the advantage of just securing some of the | site. Full https doesn't seem to have had a big impact on our | performance. We haven't gone as far as using something like an F5 device | to offload SSL, but do use differing levels of encryption on secure but | completely internal connections to try and keep the system (Blackboard) | responsive. | | Initially we tried a range of measures to ensure that the content was | all coming over SSL - including writing some tools to provide local, | regularly updates copies of RSS and other external content, but this | proved unmanageable in the long term. We realised we could not justify | maintaining a secured clone of the internet :~) | | We've managed to mitigate against some of the mixed message problems | locally by adding the VLE to the list of trusted sites on all | institutional IE PC profiles. We also ensured we had valid certificates | from a trusted authority rather than using roll your own certs. Other | than that, it is simply a case of user education - after all it is not a | bad thing if it gets people thinking about where the content is actually | coming from. | | I would advise, though, to keep your opening page all SSL content, as | otherwise some users may (rightly) raise concerns about entering their | login credentials. Yes - we use https for login always. We don't have the luxury of being able to add the VLE to the trusted zones ourselves as we manage a very small amount of desktop's in the Uni, but we could badger individual depts. to make sure this is done. That's a good point. Also - Aggie raises the issue that snooping isn't generally the issues, there's other ways to steal session plus the most likely security vulnerability will be key-loggers, virus's and Trojans on student's (& lecturer's) laptops and home PCs. Adam ***************** List information: ***************** Remember - replies go by default to the entire list. Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html To unsubscribe, email [log in to unmask] with the message: leave vle