Solved

SSL and client authentication

Posted on 2014-03-21
2
506 Views
Last Modified: 2014-03-24
Can I assume that SSL and TLS do not contain client authentication features in normal connections  ???

By normal, I mean other than SSL Client Authroization where the client has a X.509 certificate unique to the client
0
Comment
Question by:Anthony Lucia
2 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 250 total points
ID: 39946933
Your second comment effectively contradicts your first.  SSL/TLS deals with encrypting a connection which requires an exchange of certificates.  The default allows for anonymous clients while the server must have a trusted certificate.  The server administrator can enable client authentication by requiring that the client use a certificate known/trusted by the server.

You can have/allow anonymous access through encrypted access, but then requiring the user authenticate into the web based application (website security, remove anonymous access) or have each page contain a mechanism requiring the user provide credentials to establish what rights they have on the site.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 39946964
default simple SSL connection is mostly only server auth which does not need 2 way SSL auth to verify peer to peer, but it is always to heighten the security check with client to ensure it both end are well authenticated. As mentioned by arnold, with client cert, the browser has the capability to perform that.

Actually the server is the one to demand such 2 way and not the client (it cannot do that) e.g. the server requests a certificate from the client, so that the connection can be mutually authenticated, using a CertificateRequest message. Subsequently, after server"Hellodone", the client responds with a Certificate message, which contains the client's certificate.

Having said that no matter what, an SSL Certificate issued by a CA to an organization and its domain/website verifies that a trusted third party need to be in client trusted root store so as to authenticate that organization’s identity. So if the browser trusts the CA (as the CA cert is inside the trusted root store, the browser now trusts that organization’s identity too. The browser lets the user know that the website is secure, and the user can feel safe browsing the site and even entering their confidential information. You also will not have the warning prompt - this happened inclusive if self signed cert is used.

Ultimately, you use client authentication to identify and control access for users who are accessing the server, and not into the Anonymous users. E.g. set up specific access to a database based on the user name instead of setting up access for all Anonymous users. Without client authentication, all anonymous users can only have the same level of access to the database. Client authentication takes away this restriction and allows you to specify access on an individual basis. Other use case not only for identifying users in the database ACL, profile documents, and formulas, but also the design access lists such as view, form, and reader fields. It is specific to the server or eService granular control you need, normal website probably will not want that since it wants all the attention and have user a good (may not be secure) experience
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise Password Manager Suites as well as Local Password managers are covered in this article.
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question