william

When you attempt to connect to OWA over HTTPS://, does it
start encrypting immediately or does it wait until you
have authenticated with your network username and
password, and then encrypt everything after that?
I know this seems like a dumb question, but I just want
to be 100% sure that our login names and passwords are
not exposed when using OWA.

Thanks,

herb martin

SSL itself is encrypted so as long as you stay in the HTTPS
protocol you have encryption for any data INCLUDING
passwords.

This is why BasicAuthentication WITH SSL is pratically an
extra IIS authentication method that make the insecure Basic
(clear text) effectively an encrypted authentication -- and
open standard, pretty much browser version independent.

(Since version 2.0 of the major browsers and even Lynx
has an SSL verion.)

miha pihler

First encryption tunnel is established and only if it is successfully
established you are prompted for Username and Password and they are
transmitted over secure channel...

Mike

shao-ju chao (bruce)

We're doing somethig that we have a similar question. For asking this
question's sake, say we have an ASP program on the IIS that can capture
ID and password from the "GET" protocol, then
if I launch the browser, and then type
https://www.mysite.com/govalidate.asp?id=myid&password=secret
(note, at this time there is no security key in lower left corner of my
browser) and hit enter.

Can anybody sniff my id/password? (Yes-- because it's https, or No --
because the secure channel is not yet)

Other reason why this question is asked is, we're trying to use web
services over SSL and are trying to figure out if this is secure --
because the service requestor is supposed send its id/password in the
very first request.........

Thanks!

derik

I recently tried to configure my IIS to enforce SSL
connections. After following several tutorials for forming
a certificate request, signing (self-signed with OpenSSL),
and installing it, I get the following weird behavior:

when I tried to access the website using regular http using
a broswer on the server itself, i get the standard error
asking me to use https. Yeah!

using https in a broswer on the serving machine, I get the
website, nice and encrypted. Yay!

using regular http on a different machine on the same
network as the server, I get the error asking me to use
https. Still good!

but, when I try to use https on the different machine
(tried netscape, mozilla, and ie), the browser says
contacting myserver.com... and after a while says there was
no response from the server.

as soon as I disable the "enforce ssl connections" feature,
everything is accessible using http from any computer.

Any thoughts? I've looked around. IIS appears to be
listening on port 443. There are no intervening firewalls
between test computers and the server.

herb martin

You message was unclear about what worked and
mainly the precise condition under which you had
problems...sorry I just could follow it, maybe I am
tired. <grin>

miha pihler

Client and Server will first negotiate all necessary information to create a
secure tunnel over which they will communicate. But having user's
credentials sent in URL is not really best thing (anyone looking over my
shoulder can see them)... Why can't you use POST instead of GET?

Microsoft has few extended articles on the topic of SSL. This is one of
them. I hope you will find inside what you are looking for.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;257591

The only way I can think off that I could easily sniff users IDs and
passwords over secure channel is on switched network with "ARP pollution".

Mike

shao-ju chao (bruce)

Thanks miha.

So are you saying, either I use GET or POST, it is not safe for the client to
send credentials to the secure server BEFORE the secure channel is there? The
channel is secure only when secure server responds to the client, right?
Namely, this is my assumption (see below).

Not Secure
Client =============> Secure Server
Secure
Client <============= Secure Server

And then secure both ways thereafter........................

will

Okay, now you have me confused again. When I try to
connect my OWA site using SSL, I first get the
standard "Security Alert" box about the certificate (this
is because our certificate name doesn't match the domain
name, no biggie). I click yes to proceed, and then I get
the network login box wanting the username and password.
At this point, I don't see the little lock yet at the
bottom of the browser window, BUT...I thought that was
because the actual page had't come up yet. So, am I wrong
in thinking that the network passwords are encrypted?

safe for the client to

channel is there? The

the client, right?


thereafter........................


SSL. This is one of


lower left corner of my

it's https, or No --

HTTPS://, does it

until you

just want

passwords are

alun

You're essentially never going to get the chance, if you ask for an HTTPS
connection, to get into that situation. The HTTPS connection starts with
the client connecting to the server on port 443. Then the client sends a
"ClientHello", which basically says "let's start talking encrypted". The
server responds, they exchange keys, and then start talking encrypted. At
this point, your action comes in.

So, as long as you use https, as soon as you specify an https connection,
all traffic that _you_ can put on that connection will be encrypted, and the
same goes for the server.

I could go into a more technical description of the whole thing, but the
point is that an https transaction involves encryption from as early as
possible right to the end.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place | alun@texis.com.
Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.