Educause Security Discussion mailing list archives

Re: NCAA SSL active Friday 1/27/06

From: Chad McDonald <chad.mcdonald () GCSU EDU>
Date: Mon, 30 Jan 2006 09:31:26 -0500

Not sure, but I will certainly ask.  Thanks for checking behind me on this
one.


On 1/30/06 7:58 AM, "Christopher E. Cramer" <chris.cramer () DUKE EDU> wrote:

Chad,

Thanks for working with them on this issue.  I'm sure that more of our
schools are using this than we're aware.

I poked around on their site this morning and sure enough, the logins,
etc. used SSL by default.  Or at least the menus have been changed to
reference the SSL version. Unfortunately, if someone's bookmarked the
college login page as
http://www.ncaaclearinghouse.net/ncaa/NCAA/college/index_college.html (w/o
SSL), then they'll continue not to use SSL.  There doesn't seem to be an
automated redirect from http to https.

They seem to be using an Oracle-branded Apache server.  Any chance you
think they would use the rewrite engine to automatically bounce non-ssl'd
pages to their ssl'd counterparts?

Thanks,
Chris

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528


On Thu, 26 Jan 2006, Chad McDonald wrote:

Great news!

I just received an email from the Manager of NCAA Online that has assured me
that tomorrow 1/27/06, the NCAA Clearinghouse website will be moved into an
SSL environment.  According to the email, some staff at the Clearinghouse
were unaware that there were sections of the site that were unsecured.  It
should be noted that since bringing this to their attention earlier this
week Gregg Summers at NCAA Online and crew have responded quickly and
professionally to resolve this issue.

Thanks Gregg for your speedy response!

Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Fax     478.445.1202


Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell       478.454.8250
Fax       478.445.1202
Email   chad.mcdonald () gcsu edu

Current thread:

NCAA SSL active Friday 1/27/06 Chad McDonald (Jan 26)
- <Possible follow-ups>
- Re: NCAA SSL active Friday 1/27/06 Christopher E. Cramer (Jan 30)
- Re: NCAA SSL active Friday 1/27/06 Chad McDonald (Jan 30)