Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status No Plans to Implement
Workspace Verse
Categories Verse on Premises
Created by Guest
Created on Oct 11, 2018

Allow VOP to be accessible without SSL when inside intranet.

Some customers are using iNotes as intranet mail now and they are accessing iNotes via http.

VOP currently only supports access via https and this system requirement is disturbing the extension of VOP to existing iNotes users.

Please also support that VOP is accessed via http inside intranet.

  • ADMIN RESPONSE
    Jan 17, 2019

    This is unlikely to be implemented in the near future as implementing HTTP support for VOP creates a number of security concerns.

  • Attach files
  • Guest
    Reply
    |
    Aug 6, 2019

    "Is there any problem that prevent implementing HTTPS in internal network ? If cost of certificate is an issue you can use free public certificate like Lets Encrypt." The LetsEncrypt for Notes app works great. The problem is that each app/site requires a separate static (internal or external IP). It adds complexity and overhead to Domino. Domino needs to be able to support HTTP/2 and SNI for this. See the other SNI and HTTP/2 idea requests in this site, and vote them up, as well! :-)

  • Guest
    Reply
    |
    Mar 28, 2019

    My advice is to use free but trusted SSL certificate like Let's Encrypt (Assuming your Domino version support TLS). If you have difficulties setting up the certificate, you can use the free tools called LE4D provided by Midpoint.

    Tinus Riyanto - Prisma Global Solusi

  • Guest
    Reply
    |
    Feb 5, 2019

    > 74% of all hacks are from inside. A better solution is to switch all intranets to HTTPS. We advised all our customers to do exactly that. All of my customers, beside one because they are moving away from IBM, are now totally on HTTPS Internal and externally.  And correct me if i am wrong, that's the best way to handle this: all secure.

    I agree your opinion that it's more secure to use https instead of http. The customer will agree it.

    The essence of this request is not there.

    As customer's current configuration, the customer access iNotes/Domino application via http.
    The customer want to try to use VOP without changing any other configuration except Domino.

    I want development to support that the customer access VOP via http in consideration of the customer's situation.

    Even if it's conditional support, the customer will be pleased.

  • Guest
    Reply
    |
    Feb 5, 2019

    > And, as already pointed out, most attacks are triggered internally.

    I understand that it's the risk that bad employees of the customer sniffer their network.
    However the customer cannot bring in unauthorized devices including their own private smart phone.  They cannot sniff their intranet.

  • Guest
    Reply
    |
    Feb 5, 2019

    > Some browsers (starting with Chrome) will display warnings when connecting to http without encryption, which may create support calls in the future.

    The customer is using IE11 as their standard web browser.

  • Guest
    Reply
    |
    Feb 5, 2019

    > Switching to https using a free certificate (e.g. "Let's encrypt" and automated Domino integration "LE4D") seems to look like a less troublesome future, than insisting on http.

    Is it supported to use a free certificate on VOP?

  • Guest
    Reply
    |
    Feb 5, 2019

    > Your customer KNOWS that I can read EVERY Username and EVERY Password by just reading the Traffic within the network?

    The customer has Security Access Manager (ISAM) and Domino is configured SSO with ISAM LTPA.
    Users don't login Domino directly with Username and Password.

    The customer uses VOP inside their secure private intranet. The customer doesn't use VOP on public network like internet.
    Even if the customer cannot bring in their unauthorized devices even if his/her private smart phone, the customer cannot read network traffic in fact.

  • Guest
    Reply
    |
    Feb 5, 2019

    > Please keep in mind that most browser vendors start marking HTTP sites as unsafe.

    Thank you for your advice.
    The customer I'm supporting now is still using IE11 as their standard web browser and iNotes still supports to be accessed via http.
    We want to have same support level as iNotes.

  • Guest
    Reply
    |
    Feb 5, 2019

    The customer try to use VOP in the secure intranet only. I think that IBM might as well support to use VOP in the secure environment.

  • Admin
    Thomas Hampel
    Reply
    |
    Jan 28, 2019

    I need to turn this idea down because it would be lowering security.  Please continue to vote and comment for this idea if you think this needs to be done.

  • Guest
    Reply
    |
    Nov 18, 2018

    Please keep in mind that most browser vendors start marking HTTP sites as unsafe.

    That could impose a lot of support calls for your first level support in the future if you do not implement HTTPS.

     

  • Guest
    Reply
    |
    Oct 19, 2018

    Your customer KNOWS that I can read EVERY Username and EVERY Password by just reading the Traffic within the network? So the mails of the CEO are available public to every single user in the network who knows how to sniff... Thumbs up for this...

  • Guest
    Reply
    |
    Oct 15, 2018

    Switching to https using a free certificate (e.g. "Let's encrypt" and automated Domino integration "LE4D") seems to look like a less troublesome future, than insisting on http.

    Also, when thinking about a more distant future, where HTTP/2 may be used, many implementations will not function at all without encryption.

    Some browsers (starting with Chrome) will display warnings when connecting to http without encryption, which may create support calls in the future.

    And, as already pointed out, most attacks are triggered internally.

  • Guest
    Reply
    |
    Oct 15, 2018

    Http was supported, you do not need to configure https as a must, you can try it in your testing environment.

  • Guest
    Reply
    |
    Oct 13, 2018

    Is there any problem that prevent implementing HTTPS in internal network ? If cost of certificate is an issue you can use free public certificate like Lets Encrypt.

  • Guest
    Reply
    |
    Oct 12, 2018

    74% of all hacks are from inside. A better solution is to switch all intranets to HTTPS. We advised all our customers to do exactly that. All of my customers, beside one because they are moving away from IBM, are now totally on HTTPS Internal and externally.  And correct me if i am wrong, that's the best way to handle this: all secure.