Solved

SSL and client authentication

Posted on 2014-03-21
2
508 Views
Last Modified: 2014-03-24
Can I assume that SSL and TLS do not contain client authentication features in normal connections  ???

By normal, I mean other than SSL Client Authroization where the client has a X.509 certificate unique to the client
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39946933
Your second comment effectively contradicts your first.  SSL/TLS deals with encrypting a connection which requires an exchange of certificates.  The default allows for anonymous clients while the server must have a trusted certificate.  The server administrator can enable client authentication by requiring that the client use a certificate known/trusted by the server.

You can have/allow anonymous access through encrypted access, but then requiring the user authenticate into the web based application (website security, remove anonymous access) or have each page contain a mechanism requiring the user provide credentials to establish what rights they have on the site.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 39946964
default simple SSL connection is mostly only server auth which does not need 2 way SSL auth to verify peer to peer, but it is always to heighten the security check with client to ensure it both end are well authenticated. As mentioned by arnold, with client cert, the browser has the capability to perform that.

Actually the server is the one to demand such 2 way and not the client (it cannot do that) e.g. the server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message. Subsequently, after server"Hellodone", the client responds with a Certificate message, which contains the client's certificate.

Having said that no matter what, an SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party need to be in client trusted root store so as to authenticate that organization’s identity. So if the browser trusts the CA (as the CA cert is inside the trusted root store, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information. You also will not have the warning prompt - this happened inclusive if self signed cert is used.

Ultimately, you use client authentication to identify and control access for users who are accessing the server, and not into the Anonymous users. E.g. set up specific access to a database based on the user name instead of setting up access for all Anonymous users. Without client authentication, all anonymous users can only have the same level of access to the database. Client authentication takes away this restriction and allows you to specify access on an individual basis. Other use case not only for identifying users in the database ACL, profile documents, and formulas, but also the design access lists such as view, form, and reader fields. It is specific to the server or eService granular control you need, normal website probably will not want that since it wants all the attention and have user a good (may not be secure) experience
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question