Solved

SSL and client authentication

Posted on 2014-03-21
2
518 Views
Last Modified: 2014-03-24
Can I assume that SSL and TLS do not contain client authentication features in normal connections  ???

By normal, I mean other than SSL Client Authroization where the client has a X.509 certificate unique to the client
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 250 total points
ID: 39946933
Your second comment effectively contradicts your first.  SSL/TLS deals with encrypting a connection which requires an exchange of certificates.  The default allows for anonymous clients while the server must have a trusted certificate.  The server administrator can enable client authentication by requiring that the client use a certificate known/trusted by the server.

You can have/allow anonymous access through encrypted access, but then requiring the user authenticate into the web based application (website security, remove anonymous access) or have each page contain a mechanism requiring the user provide credentials to establish what rights they have on the site.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 39946964
default simple SSL connection is mostly only server auth which does not need 2 way SSL auth to verify peer to peer, but it is always to heighten the security check with client to ensure it both end are well authenticated. As mentioned by arnold, with client cert, the browser has the capability to perform that.

Actually the server is the one to demand such 2 way and not the client (it cannot do that) e.g. the server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message. Subsequently, after server"Hellodone", the client responds with a Certificate message, which contains the client's certificate.

Having said that no matter what, an SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party need to be in client trusted root store so as to authenticate that organization’s identity. So if the browser trusts the CA (as the CA cert is inside the trusted root store, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information. You also will not have the warning prompt - this happened inclusive if self signed cert is used.

Ultimately, you use client authentication to identify and control access for users who are accessing the server, and not into the Anonymous users. E.g. set up specific access to a database based on the user name instead of setting up access for all Anonymous users. Without client authentication, all anonymous users can only have the same level of access to the database. Client authentication takes away this restriction and allows you to specify access on an individual basis. Other use case not only for identifying users in the database ACL, profile documents, and formulas, but also the design access lists such as view, form, and reader fields. It is specific to the server or eService granular control you need, normal website probably will not want that since it wants all the attention and have user a good (may not be secure) experience
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question