[flipper35]

Am I over reacting or is it a legitimate complaint.

We have a vendor that we use to check PHI via a Java applet. Whole other ball of worms for me, but not the crux of the current issue. The issue is they communicate with the Java applet to their website to check for updates and whatever else and the web site has no certificate. It communicates via HTTP not HTTPS and Java complains that it is not secure so the vendor says just put it in the exceptions list. I tell them spend the $70 for a two years cert for their website since no part of their web is secure. It strikes me as an easy way to compromise the information behind that IP and certs are cheap.

I can create a GPO to add the exception, but I don't feel I should have to because there is no reason they should not have a cert on their site.

What say you all ye smarter than me?