Re: SSL and iSeries as a consumer of a web service on a PC workstation

On Fri, Apr 23, 2010 at 21:13, Scott Klement
<midrange-l@xxxxxxxxxxxxxxxx> wrote:

Sometimes they just want the session encrypted.

Encryption without authentication is the same as no encryption. It
means that anyone who wants to can listen in, easily and without much
hassle. Yes, it requires a bit more effort than just running tcpdump
on a plain connection, but not much more.

Look at WEP encryption for Wireless LANs - easily broken without much
effort, but the data is encrypted.

session. ÂPresumably, he feels that the IP address is a good enough
check to make sure he's connected to the right machine. ÂIndeed, it
might be, if this is a private and controlled network.

Considering that a large percentages of malicious attacks originate
from inside the network, i don't agree with you here.

Seems to me that it's up to each organization to decide what level of
risk they're willing to accept. Â Providing flexibility in the software
is a good thing.

With this, i can agree. But the default should be a safe
configuration, not an unsafe one. Firefox for examples can handle
private CAs or self-signed certificates gracefully - it works the same
as SSH host keys - once the certificate is remembered, Firefox will
check to make sure it's the one you've accepted in the first place.

But from a security aspect, IBM is also guilty of shipping a system in
an unsafe default configuration (Plaintext Telnet, DDM, ODBC, etc. all
enabled by default, all of them need to be reconfigured just to get a
system out of the door).