Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SSL and client authentication

Posted on 2014-03-21
2
Medium Priority
?
549 Views
Last Modified: 2014-03-24
Can I assume that SSL and TLS do not contain client authentication features in normal connections  ???

By normal, I mean other than SSL Client Authroization where the client has a X.509 certificate unique to the client
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 80

Accepted Solution

by:
arnold earned 1000 total points
ID: 39946933
Your second comment effectively contradicts your first.  SSL/TLS deals with encrypting a connection which requires an exchange of certificates.  The default allows for anonymous clients while the server must have a trusted certificate.  The server administrator can enable client authentication by requiring that the client use a certificate known/trusted by the server.

You can have/allow anonymous access through encrypted access, but then requiring the user authenticate into the web based application (website security, remove anonymous access) or have each page contain a mechanism requiring the user provide credentials to establish what rights they have on the site.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 39946964
default simple SSL connection is mostly only server auth which does not need 2 way SSL auth to verify peer to peer, but it is always to heighten the security check with client to ensure it both end are well authenticated. As mentioned by arnold, with client cert, the browser has the capability to perform that.

Actually the server is the one to demand such 2 way and not the client (it cannot do that) e.g. the server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message. Subsequently, after server"Hellodone", the client responds with a Certificate message, which contains the client's certificate.

Having said that no matter what, an SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party need to be in client trusted root store so as to authenticate that organization’s identity. So if the browser trusts the CA (as the CA cert is inside the trusted root store, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information. You also will not have the warning prompt - this happened inclusive if self signed cert is used.

Ultimately, you use client authentication to identify and control access for users who are accessing the server, and not into the Anonymous users. E.g. set up specific access to a database based on the user name instead of setting up access for all Anonymous users. Without client authentication, all anonymous users can only have the same level of access to the database. Client authentication takes away this restriction and allows you to specify access on an individual basis. Other use case not only for identifying users in the database ACL, profile documents, and formulas, but also the design access lists such as view, form, and reader fields. It is specific to the server or eService granular control you need, normal website probably will not want that since it wants all the attention and have user a good (may not be secure) experience
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question