Re: Secure web site access and PKI Certs

• Previous message: Gabriel Orozco: "Re: how to block ALL AIM traffic ?"
• Next in thread: Robert Hines: "RE: Secure web site access and PKI Certs"
• Reply: Robert Hines: "RE: Secure web site access and PKI Certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Apr 2005 14:38:05 -0700 (PDT)
To: Keenan Smith <kc_smith@clark.net>, security-basics@securityfocus.com

Keenan,

   If the PKI certificate is installed on the local
machine with the "Enable Strong Private Key
Protection..." checked, a password will be required
each time the certificate is used. This will provide
additional security for Single Sign On to PKI enabled
web sites.

--- Keenan Smith <kc_smith@clark.net> wrote:
> All,
>
> I have access to a secure web site. It used to
> require a PKI Cert to
> identify the user and then a standard
> username/password login to
> authenticate.
>
> Recently a change was made to the site that allows
> the supplying of a
> PKI Subject CN Fragment to a user "profile" on the
> site. In this case,
> the certificate not only identifies the user but
> authenticates as well.
>
> The end result is an "auto-login" feature that in
> effect, keeps me
> logged in all the time. Anybody sitting at my
> machine and logged in as
> me (Windows XP) can access the web site as me.
>
> At first glance this seems like it's a reasonable
> way to accomplish a
> secure access to the web site. Installing the
> certificate as me ties it
> to my profile and makes it unavailable to other
> users on my machine and
> since the use of the certificate requires a user to
> login as me, it
> moves the authentication piece from the web site to
> the Windows domain.
>
> This seems to some extent like "security through
> obscurity" and also
> substituting convenience for security, an
> all-to-common problem.
>
> Since it's my security-cleared neck on the line, I'd
> rather be too
> concerned rather than not concerned enough.
>
> So I'm asking the collective wisdom of the list to
> consider. Is PKI's
> single sign-on capability reasonable? Is this
> implementation adequate?
> Thoughts? Opinions? Critiques?
>
> Thanks
> Keenan Smith
>
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

• Previous message: Gabriel Orozco: "Re: how to block ALL AIM traffic ?"
• Next in thread: Robert Hines: "RE: Secure web site access and PKI Certs"
• Reply: Robert Hines: "RE: Secure web site access and PKI Certs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]