View Single Post
Old 06-23-2008, 08:30 AM   #3 (permalink)
New Member
Join Date: Jun 2008
Model: 8800
Carrier: At&t
Posts: 4
Post Thanks: 0
Thanked 0 Times in 0 Posts

Thanks. So if I am to understand this correctly, security when having Support HTTP Authentication enabled is no different between the blackberry and the web server than it is when my desktop browser is connecting to the web server.

So to pick a particular "for instance", I know we have Windows Authentication enabled that will send our domain userid and password to an HTTP server (NOT HTTPS) that we use for several commonly used activities. Is there any ADDITIONAL exposure that's created by having this authentication occur from the Blackberry device that would exist in addition to the exposure that currently exists authenticating from my desktop web browser to the HTTP server?

I'm drawing a rough model to help clarify what the potential concern is:

Normal (no Blackberry) Browser:
Browser <-> HTTP Server (supporting windows authentication)

Blackberry Browser:
BB Browser <-> MDS Server <-> HTTP Server (supporting windows authentication)

In the "normal browser" instance, it seems we have an issue with weak encoding of domain passwords between the web browser and the HTTP server. In the "blackberry browser" instance, it seems we have the same between the MDS server and the HTTP server, however, we also have the added ability for some weak security between the BB browser and the MDS server. However, I am under the impression that security between BB Browser and MDS Server is pretty tight and should present no additional concern.

Seems to me if the security risks are identical to those that we currently have between our desktop browsers and our HTTP servers, that there shouldn't be any additional security concern about enabling Support HTTP Authentication on the BES server. I want to be sure I have the facts straight before proposing changes to our server administration group, though.

Offline   Reply With Quote