Although breaches of security on the Internet are infrequent, it is important to be aware of the inherent limitations of any Internet security system. The following information is not unique to Host On-Demand; it applies to most Internet applications that use http. None of this information applies if your Web server uses secure http (https).
For Host On-Demand, SSL security is still provided even when Server Authentication is disabled.
A common SSL connection between a client and a server works as follows:
Using a CA-signed certificate:
Using a self-signed certificate:
Why You Must Be Careful |
---|
The crucial step in the process is when the client checks its list of trusted CAs and self-signed certificates. For a locally-installed client, on which Host On-Demand is loaded directly from the client's hard disk, that list is kept on its local hard disk. This is considered adequately secure. However, for a download client, on which the client is really just a browser that downloads all its code from the server using http, the only place the browser can look for the list of trusted CAs or self-signed certificates is on the server from which it has just downloaded the certificate. If that server is an intruder, security is breached. One way to avoid this problem is to use https rather than http, because https ensures that the browser really is connected to the correct server. |
Related topic: