Welcome to the #dominoforever Product Ideas Lab! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated jointly by the IBM & HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino page.


Allow VOP to be accessible without SSL when inside intranet.

Some customers are using iNotes as intranet mail now and they are accessing iNotes via http.

VOP currently only supports access via https and this system requirement is disturbing the extension of VOP to existing iNotes users.

Please also support that VOP is accessed via http inside intranet.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Oct 11 2018
  • Will not implement
  • Jan 17, 2019

    Admin Response

    This is unlikely to be implemented in the near future as implementing HTTP support for VOP creates a number of security concerns.

  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 12, 2018 10:16

    74% of all hacks are from inside. A better solution is to switch all intranets to HTTPS. We advised all our customers to do exactly that. All of my customers, beside one because they are moving away from IBM, are now totally on HTTPS Internal and externally.  And correct me if i am wrong, that's the best way to handle this: all secure.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 13, 2018 03:09

    Is there any problem that prevent implementing HTTPS in internal network ? If cost of certificate is an issue you can use free public certificate like Lets Encrypt.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 15, 2018 09:07

    Http was supported, you do not need to configure https as a must, you can try it in your testing environment.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 15, 2018 15:04

    Switching to https using a free certificate (e.g. "Let's encrypt" and automated Domino integration "LE4D") seems to look like a less troublesome future, than insisting on http.

    Also, when thinking about a more distant future, where HTTP/2 may be used, many implementations will not function at all without encryption.

    Some browsers (starting with Chrome) will display warnings when connecting to http without encryption, which may create support calls in the future.

    And, as already pointed out, most attacks are triggered internally.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    October 19, 2018 06:53

    Your customer KNOWS that I can read EVERY Username and EVERY Password by just reading the Traffic within the network? So the mails of the CEO are available public to every single user in the network who knows how to sniff... Thumbs up for this...

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    November 18, 2018 07:25

    Please keep in mind that most browser vendors start marking HTTP sites as unsafe.

    That could impose a lot of support calls for your first level support in the future if you do not implement HTTPS.

     

  • Admin
    Thomas Hampel commented
    28 Jan 22:37

    I need to turn this idea down because it would be lowering security.  Please continue to vote and comment for this idea if you think this needs to be done.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 03:38

    The customer try to use VOP in the secure intranet only. I think that IBM might as well support to use VOP in the secure environment.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 11:28

    > Please keep in mind that most browser vendors start marking HTTP sites as unsafe.

    Thank you for your advice.
    The customer I'm supporting now is still using IE11 as their standard web browser and iNotes still supports to be accessed via http.
    We want to have same support level as iNotes.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 11:42

    > Your customer KNOWS that I can read EVERY Username and EVERY Password by just reading the Traffic within the network?

    The customer has Security Access Manager (ISAM) and Domino is configured SSO with ISAM LTPA.
    Users don't login Domino directly with Username and Password.

    The customer uses VOP inside their secure private intranet. The customer doesn't use VOP on public network like internet.
    Even if the customer cannot bring in their unauthorized devices even if his/her private smart phone, the customer cannot read network traffic in fact.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 11:47

    > Switching to https using a free certificate (e.g. "Let's encrypt" and automated Domino integration "LE4D") seems to look like a less troublesome future, than insisting on http.

    Is it supported to use a free certificate on VOP?

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 11:58

    > Some browsers (starting with Chrome) will display warnings when connecting to http without encryption, which may create support calls in the future.

    The customer is using IE11 as their standard web browser.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 12:00

    > And, as already pointed out, most attacks are triggered internally.

    I understand that it's the risk that bad employees of the customer sniffer their network.
    However the customer cannot bring in unauthorized devices including their own private smart phone.  They cannot sniff their intranet.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    05 Feb 12:33

    > 74% of all hacks are from inside. A better solution is to switch all intranets to HTTPS. We advised all our customers to do exactly that. All of my customers, beside one because they are moving away from IBM, are now totally on HTTPS Internal and externally.  And correct me if i am wrong, that's the best way to handle this: all secure.

    I agree your opinion that it's more secure to use https instead of http. The customer will agree it.

    The essence of this request is not there.

    As customer's current configuration, the customer access iNotes/Domino application via http.
    The customer want to try to use VOP without changing any other configuration except Domino.

    I want development to support that the customer access VOP via http in consideration of the customer's situation.

    Even if it's conditional support, the customer will be pleased.