SLAC WWW-Tech Mtg 9/9/98SLAC WWW-Tech Mtg 9/9/98Attendees: Tony Johnson, John Halperin, Joan Winters, Dennis Wisinski, Bebo White, Paul Raines, George Crane, Andrea Chan, Rich Dominiak, Glen Biggus.
Agenda:
Dennis gave out a "Crytography Primer" and "SSL Primer", and went through them.
The advantage of SSL to SLAC would primarily be to ensure that passwords are passed over the network in encrypted form. Unfortunately URL's refering to encrypted pages must use https: rather than http:, meaning that all references to pages changed from non-SSL to SSL must be changed. This causes particular problem with relative links between SSL and non-SSL pages, which must become absolute links, and is prticluarly problematic for Frontpage users, since Frontpage likes to automatically create relative links and doesnt have any mechanism to mark some pages as SSL pages. It would be possible to use https for all pages in NT web server, but this would cause problems with existing links and bookmarks, and would also confuse people used to typing www-user/somepage into the URL window of their browser. Questions were also raised as to whether major indexers (altavista etc.) would index https pages. Dennis said he had not noticed any noticable slowdown in using SSL connections compared to non-SSL pages, at least in one off tests.
Changing pages to require SSL under NT requires changes to the server MetaBase which can only be done by NT administrators.
40 bit netscape browsers will not talk reliably to IIS (unless change SSL 3.0 -> 2.0 in the netscape browser options). Dennis will be reinstalling server on new hardware, and maybe this will fix the problem? Otherwise may try to contact microsoft tech support. The Netscape browsers installed at SLAC on Unix are all 40 bit versions, and presumably many non-Unix users use 40bit versions.
It was proposed that BIS would like to change all of their pages to use SSL, since they make extensive use of restricted access, and are particularly sensitive to security issues (maybe 1/3 - 1/2 of all BIS pages are already password protected). BIS does not use frontpage (with one small exception).
The netscape server on unix could also be configured to support SSL, although the details are currently not known.
Joan gave a brief summary of the naming convention document for restricted access NT pages that she had distributed earlier. She proposes adopting a convention to use slaconly (in the directory name), as a hint to the NT adminstrators that pages below should be password proctected and SSL required.This was felt to be important since the consequences of setting protections on files incorrectly could be dire. The NT definition would be slightly different to the existing Unix definition of slaconly in that:
It is expected however that the Unix use of slaconly will change to become closer to the proposed NT definition of slaconly, and this is thought to justify using the same term. Bob Cowles has apparently suggested using a Cornell scheme based on kerberos on Unix, but the details were unclear and it was suggested we invite him to discuss this at a future meeting.