Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts

    Client Side Certificates

    Hi,

    I am developing a web site which I need to use Client Side Authentication by way of certificates to validate registered users of the site. I was just wondering if anyone is doing this, and if so how have they deployed the certificates to the clients? I was thinking of secure e-mail for the certificate, and then sending the password to the certificate via secure text message. If I implement that approach I will have to generate the certificates on the fly as it were -> PHP calls shell script containing openssl commands. I think there are probably security implications to that approach, as you are blindly signing certificates. I can't think of any other way to do it. If I was to generate the certs "offline" as it were, I think that might render the whole thing unusable, and I would have to be available 24/7 to generate the certificates.

    Any ideas greatly appreciated?

    /jlar

  • #2
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    What are you talking about, do you mean something to say, this user is real other than a login?

  • #3
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Ok, so when the user enters their user name and password then then the site will ask them to supply a certificate to validate their identity. If they don't have a certificate then no dice. It ties the user to the machine, and ensures that no one can log on with that user name and password even if they get hold of it somehow. User name and password is fine, but certificates offer a higher level of authentication. It ensures that you are who you say you are. In Firefox the certificate would be found in: Tools -> Options -> Advanced -> Encryption -> View Certificates -> Your Certificates. All users of the site would have to have a certificate supplied by the web site stored here. It is similar to what banks use to authenticate clients on online banking web sites.

  • #4
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    I don't think there is anything on the client side for that, minus Active-X and you don't want to do that. You could compare IP addresses, but that's a no for those who don't have a static ip (dial-up, some forms of ADSL/DSL).

    Perhaps you should check this out:
    Wish it were two

    forum filter software is crappy: here's the link broken up so you can actually see it:
    http://thedailywtf.com/Articles/Wish
    ItWas-TwoFactor-.aspx

  • Users who have thanked malfist for this post:

    eeijlar (08-05-2008)

  • #5
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,294
    Thanks
    4
    Thanked 203 Times in 200 Posts
    Quote Originally Posted by eeijlar View Post
    It is similar to what banks use to authenticate clients on online banking web sites.
    I've never seen a bank use a client certificate for authentication. What you describe is, essentially, a public key infrastructure (PKI) and it is not a road you want to travel.

    The certificates in the browser are used to establish trust for sites using SSL not for client authentication of any sort. The CA (Certificate Authority) at the root of the certificates supplied with browsers is what confirms that a site is in fact legitimate. It has nothing to do with the user behind the browser.
    Dave .... HostMonster for all of your hosting needs

  • #6
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Hi,

    Thanks for your reply. I am not going with two-factor so!!! That's why certificates seem to be better if a little bit cumbersome.

    /jlar

  • #7
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    You don't understand, Certificates are two-factor authentication. You could possibly use a cookie, but if the user has cookies turned off, or deletes them, they wouldn't be able to login again.

    Honestly, I would not use a web application that forced me to use one computer and one computer only. I use anywhere for 3-5 computers a day and I need to be able to access everything from each of them. Could you explain why you think you need this type of security?

  • #8
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,294
    Thanks
    4
    Thanked 203 Times in 200 Posts
    In addition to what malfist said what would compel me, as a client, to trust your certificate let alone install it? How are you going to handle the calls for help when people have no clue at all what to do with a certificate? And what is a "secure text method" that you mentioned in your first post? I don't have anything that accepts a text method and there are other people that won't too.
    Dave .... HostMonster for all of your hosting needs

  • #9
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by djm0219 View Post
    I've never seen a bank use a client certificate for authentication. What you describe is, essentially, a public key infrastructure (PKI) and it is not a road you want to travel.

    The certificates in the browser are used to establish trust for sites using SSL not for client authentication of any sort. The CA (Certificate Authority) at the root of the certificates supplied with browsers is what confirms that a site is in fact legitimate. It has nothing to do with the user behind the browser.
    Hi Dave,

    Ok, just so we are clear, this is what I am trying to implement:

    Server Side Verification
    When you log on to certain sites you will see a little pad lock on the right hand side of the screen. This means that the web site has been authenticated by a third party such as Veri Sign or Thawte. So basically, Veri Sign has verified that this web site is who it says it is, and not some dummy site. This bit is straight forward you just buy a cert from Thawte.

    Client Side Verification
    This is where the web site creates a signed certificate for the client. This is a .p12 file issued to the client, via a secure e-mail or some other method. When the client imports the certificate to their browser they will be asked for a password which was added to the cert when it was signed. When they have successfully imported the cert then they can access the web site, as it can successfully verify that they are, who they say they are.

    Is this the public key infrastructure you were referring too. It doesn't seem that complicated. I have already created client certs.

  • #10
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,294
    Thanks
    4
    Thanked 203 Times in 200 Posts
    Yes, that's a very simplistic view of what a PKI is. The second point that malfist raised is just one of the stumbling blocks to implementing what you want to do. The other problems you are likely to face is massive user confusion and lack of understanding/acceptance.

    On your side of things managing revocation of certificates and preventing the client certificates from being "shared" are other considerations. Unless you are on an Intranet of some sort where policy may be used to try and enforce what you are trying to do I can't imagine the general public from understanding it nor using it.

    I have to ask what it is that is so critical that you believe this type of authentication is required?
    Dave .... HostMonster for all of your hosting needs

  • #11
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by djm0219 View Post
    In addition to what malfist said what would compel me, as a client, to trust your certificate let alone install it? How are you going to handle the calls for help when people have no clue at all what to do with a certificate? And what is a "secure text method" that you mentioned in your first post? I don't have anything that accepts a text method and there are other people that won't too.
    Secure SMS message is what I meant... we call them text messages over here

  • #12
    Senior Coder djm0219's Avatar
    Join Date
    Aug 2003
    Location
    Wake Forest, North Carolina
    Posts
    1,294
    Thanks
    4
    Thanked 203 Times in 200 Posts
    You assume that everyone can receive such things (I can't).

    I'm not trying to rain on your parade/idea but I worked on an PKI for a corporation with over 300,000 people on a controlled intranet and after over a year we concluded that a) it wasn't worth it in the end (mainly because of additional support costs and the cost of creating trusted certificates) and b) it would be far too confusing for the end users c) there wasn't going to be an easy way to handle revocation lists and d) having end users move to a different system, which is going to happen to everyone at some point, took us right back to problems a, b and c.
    Dave .... HostMonster for all of your hosting needs

  • #13
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Hi,

    Thanks for all the replies. It's an online counselling application. The whole basis of the application is that all communications are secure. I am implementing it with some people who work in the mental health profession. One of the problems that they have encountered in similar efforts is being unable to identify that the person they are talking to is who they say they are. If this site had 150 clients it would be deemed very successful.

    /jlar

  • #14
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    Then you should seriously look into two-factor security. Seriously, if you're in the USA, you have to deal with HIPPA laws and the only way to cover your tracks is to use two-factor security.

  • #15
    New Coder
    Join Date
    Feb 2006
    Posts
    61
    Thanks
    11
    Thanked 0 Times in 0 Posts
    Do you not think certificates offer an even higher level of security than e.g. 'What's your dog's name?', if you could find a usable way of implementing them?

    I know your experience suggests that you cannot...

    /jlar


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •