I need a second opinion on this...
I have been designing a web application for a client and the question came up about our implementation of SSL. Normally, when we are designing an app that can potentially be sending secret information about, we recommend the client use SSL. This particular client, while not opposed to using SSL over the Internet, wants her LAN users to be able to use the system without SSL to increase performance. It's part of the spec, and it's a sticking point with the client.
After adding a few legal agreements to the contract, I thought about how to determine LAN users from Internet users. My first thought is to check the user's IP address and see if it matches the private IP range she has defined for the network. Is that all I can do, or is there something else I'm missing?
This is an ASP.NET web app running on a Win2k3 box, which is not a member of any NT/AD domain. Any suggestions would be much appreciated.
I have been designing a web application for a client and the question came up about our implementation of SSL. Normally, when we are designing an app that can potentially be sending secret information about, we recommend the client use SSL. This particular client, while not opposed to using SSL over the Internet, wants her LAN users to be able to use the system without SSL to increase performance. It's part of the spec, and it's a sticking point with the client.
After adding a few legal agreements to the contract, I thought about how to determine LAN users from Internet users. My first thought is to check the user's IP address and see if it matches the private IP range she has defined for the network. Is that all I can do, or is there something else I'm missing?
This is an ASP.NET web app running on a Win2k3 box, which is not a member of any NT/AD domain. Any suggestions would be much appreciated.
