Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL and client authentication

Posted on 2014-03-21
2
Medium Priority
?
541 Views
Last Modified: 2014-03-24
Can I assume that SSL and TLS do not contain client authentication features in normal connections  ???

By normal, I mean other than SSL Client Authroization where the client has a X.509 certificate unique to the client
0
Comment
Question by:Anthony Lucia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 1000 total points
ID: 39946933
Your second comment effectively contradicts your first.  SSL/TLS deals with encrypting a connection which requires an exchange of certificates.  The default allows for anonymous clients while the server must have a trusted certificate.  The server administrator can enable client authentication by requiring that the client use a certificate known/trusted by the server.

You can have/allow anonymous access through encrypted access, but then requiring the user authenticate into the web based application (website security, remove anonymous access) or have each page contain a mechanism requiring the user provide credentials to establish what rights they have on the site.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 39946964
default simple SSL connection is mostly only server auth which does not need 2 way SSL auth to verify peer to peer, but it is always to heighten the security check with client to ensure it both end are well authenticated. As mentioned by arnold, with client cert, the browser has the capability to perform that.

Actually the server is the one to demand such 2 way and not the client (it cannot do that) e.g. the server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message. Subsequently, after server"Hellodone", the client responds with a Certificate message, which contains the client's certificate.

Having said that no matter what, an SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party need to be in client trusted root store so as to authenticate that organization’s identity. So if the browser trusts the CA (as the CA cert is inside the trusted root store, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information. You also will not have the warning prompt - this happened inclusive if self signed cert is used.

Ultimately, you use client authentication to identify and control access for users who are accessing the server, and not into the Anonymous users. E.g. set up specific access to a database based on the user name instead of setting up access for all Anonymous users. Without client authentication, all anonymous users can only have the same level of access to the database. Client authentication takes away this restriction and allows you to specify access on an individual basis. Other use case not only for identifying users in the database ACL, profile documents, and formulas, but also the design access lists such as view, form, and reader fields. It is specific to the server or eService granular control you need, normal website probably will not want that since it wants all the attention and have user a good (may not be secure) experience
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
What we learned in Webroot's webinar on multi-vector protection.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question