Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Secure web site access and PKI Certs

from [Rodrigo Blanco] Network Security [Permanent Link]
Subject: Re: Secure web site access and PKI Certs
Date: Fri, 29 Apr 2005 09:43:09 +0200 
But I should have thought that if the PKCS12 certificate is password
protected, then it would still ask for the export password each time
you make use of it, wouldn't it?

So even if you gain access to the desktop, you would still be unable
to make use of the cert for client auth or any other purpose, makng
the web access impossible.

Hope this helps,
Rodrigo.

On 4/28/05, Justin Roysdon <justin@roysdon.net> wrote:

Last I checked, if someone has local access to your system, then it's not
very difficult to change your password (with a boot disk) and then proceed
to login as your user.  It sounds like a poor way to authenticate.
The benefit of the seperate authentication is lost.

Crypto Geek


---------- Original Message -----------
From: "Keenan Smith" <kc_smith@clark.net>
To: <security-basics@securityfocus.com>
Sent: Wed, 27 Apr 2005 11:12:02 -0400
Subject: Secure web site access and PKI Certs


All,

I have access to a secure web site.  It used to require a PKI Cert to
identify the user and then a standard username/password login to
authenticate.

Recently a change was made to the site that allows the supplying of a
PKI Subject CN Fragment to a user "profile" on the site.  In this
case, the certificate not only identifies the user but authenticates
as well.

The end result is an "auto-login" feature that in effect, keeps me
logged in all the time.  Anybody sitting at my machine and logged in
as me (Windows XP) can access the web site as me.

At first glance this seems like it's a reasonable way to accomplish a
secure access to the web site.  Installing the certificate as me
ties it to my profile and makes it unavailable to other users on my
machine and since the use of the certificate requires a user to
login as me, it moves the authentication piece from the web site to
the Windows domain.

This seems to some extent like "security through obscurity" and also
substituting convenience for security, an all-to-common problem.

Since it's my security-cleared neck on the line, I'd rather be too
concerned rather than not concerned enough.

So I'm asking the collective wisdom of the list to consider.  Is
PKI's single sign-on capability reasonable?  Is this implementation

adequate?

Thoughts?  Opinions?  Critiques?

Thanks
Keenan Smith

------- End of Original Message -------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  BIND: securing a dns server? - pharming, rmruiz
Next by Date:  Re: File Integrity / IDS, Anthony J Placilla
Previous by Thread:  Re: Secure web site access and PKI Certs, Justin Roysdon
Next by Thread:  RE: Secure web site access and PKI Certs, Keenan Smith
Indexes:  [Date] [Thread] [Top] [All Lists]