Advice to CAS Clients on Use of SSL

When a web application uses CAS for authentication the login process is handled securely. All traffic to CAS, including the login and validation requests and responses is sent over an SSL encrypted connection. In addition to login security, applications themselves are strongly encouraged to use SSL to protect communication between the app and the end user’s web browser.

Web applications that contain or process personal information must be protected by SSL. This extends beyond PII (personally identifiable information) to all specific and personal information that is not in the public domain. SSL should be carefully considered for any application or website that is worth protecting with a login. Columbia has a site license for SSL Certificates and CUIT can provide certificates at no cost to you. See the Certificate Request form.

SSL may not be necessary for some applications. A resource whose use is limited to the University community but whose content is not confidential, like a library catalog or a blog, may require a login without needing SSL. Ultimately, each application owner must determine whether or not to use SSL based on the application’s data security requirements.

If a production environment must be protected by SSL, then any related test and development environments must also use SSL unless the confidential data has been replaced by test data and has been thoroughly anonymized.

When in doubt, err on the side of caution and use SSL.