My 2c, not sure if everyone agrees but can't help going on a rant for a minute:
<rant> Security exploits on internal-only websites are completely irrelevant, and SSL introduces an unnecessary processing overhead on your server. Unless your CMS is public-facing (and it most certainly should not be) SSL is moot, even for the login screen (you should be using integrated login anyway). If you have external parties that need access to the CMS they should be using a VPN tunnel to do so. </rant> Sorry. Merry Christmas. -----Original Message----- From: "Kelly Burns" <kellyburns2...@gmail.com> Sent: 25/12/2013 5:16 To: "reddot-cms-users@googlegroups.com" <reddot-cms-users@googlegroups.com> Subject: Re: SSL Support change in version 11.1??? Thank you so much Tim!! Happy Holidays! Kelly Kelly Burns 329 N. Humphrey | Oak Park, IL | 60302 Mobile: (312) 909-0925 Skype: kellyburns2005 Email: kellyburns2...@gmail.com On Tue, Dec 24, 2013 at 7:44 AM, Tim D <timothy.j.da...@gmail.com> wrote: Kelly, Switching out of SSL/HTTPS opens up possible exploits. It is an OWASP security standards recommendation to stay in TLS/SSL. https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Use_TLS_for_All_Login_Pages_and_All_Authenticated_Pages Engineering will try to conform to OWASP guidelines and the recent 11.1 HF4 should have brought the product in line at least around the top exploits. I'd recommend using this and looking at SSL offloading or acceleration if performance is a concern. If you wan the classic setup leave off the SSL option on install. You may be able to get the login over SSL worst case is editing some ASP pages to force it to SSL(this would potentially break on any future patches/upgrades). Best, Tim On Friday, December 20, 2013 3:22:13 PM UTC-5, Kelly wrote: We found this in Release Notes for 11.1: "there is no automatic fallback to HTTP anymore." Has anyone found a workaround or hot fix for this? We are currently in 10.1 planning our 11.1 upgrade. Users start their session in HTTP mode, login page then reloads in HTTPS mode, user logs in securely using 443/TCP -- but after login, user is returned to HTTP mode. Below is the paragraph from Release Notes re: new SSL for 11.1. Thanks!! Kelly Secure Installation and Extended SSL Support (from Release Notes for WSM 11.1) When installing Management Server 11.1, the default installation mode is to install with SSL option. With this option selected, Management Server is only accessible via HTTPS; there is no automatic fallback to HTTP anymore. For installation with SSL, HTTPS support must be prepared in IIS. If SSL [The entire original message is not included.] -- You received this message because you are subscribed to the Google Groups "RedDot CMS Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to reddot-cms-users+unsubscr...@googlegroups.com. To post to this group, send email to reddot-cms-users@googlegroups.com. Visit this group at http://groups.google.com/group/reddot-cms-users. For more options, visit https://groups.google.com/groups/opt_out.
