Quote:
Originally Posted by flipper35
What is on their end I am worried less about but I would bet it is in SQL in the clear. Just a guess on my part but based on what I see that is my assumption.
The info is certainly stored on their end as we can look the info up at any time for any time frame.
Nothing is stored on our end, the results of the query are populated in fields on the application real time, just like a web site.
I can think of no reason they couldn't use a certificate on their end. I can't think of any case where this can be compliant which is why I am asking here, in case I missed or misinterpreted something.
I looked through those resources and came here to verify those. Thanks.
|
No reason at all. Takes me about 30 minutes to get 15 students through obtaining a free certificate from LetsEncrypt and changing an Apache server from plain HTTP to HTTPS including complete redirects from non-secure to secure. Can't imagine it would take much longer for nginx, tomcat, IIS or any other web server, although the IIS folks may need to reboot a few times.
That said, there is that slight possibility of them encrypting client side and sending - sniff the traffic and find out.