Im about to enable AD integration on our LAN which is using HTTP to communicate with Vault. We could implement HTTPS but feel the performance detrement may not be worth it.
My question is simple, how is the AD user/password authenticated on the LAN, is it sent around the network as plain text or anything else that could be sniffed or captured because of HTTP limitations?
Cheers
Using AD integration in a non HTTPS environment
Moderator: SourceGear
I've answered this before
The summary of that thread is that HTTP is fine for password protection, but security-consious customers should use HTTPS. For a lan, HTTP is fine.
This is from the thread http://support.sourcegear.com/viewtopic.php?p=9566#9566When the Vault client or admin tool or api send a password, it's encrypted with a one-time key which is also encrypted. Vault never sends a plain password. I want to be very clear in stating that although Vault sends the AD password, it is as safe as SSL. We've had encrypted passwords since 1.0, and wouldn't have added AD passwords in Vault if we sent them in plain text.
The summary of that thread is that HTTP is fine for password protection, but security-consious customers should use HTTPS. For a lan, HTTP is fine.
on rereading, my reply seems a lot harsher than I had intended. This is a good question (that it took 2 years for customers to ask), and our forum search in nowhere good enough to return that thread in the first three hits when searching for "password encryption." Sorry that my reply came out wrong.