Re: Stronger password based HTTP client authentication?

From: Zoltan Glozik (zglozik@s_t_o_n_e_s.com)
Date: 05/03/02 

From: "Zoltan Glozik" <zglozik@s_t_o_n_e_s.com>
Date: Fri, 3 May 2002 09:25:32 +0100

Hi,

"John Elsbury" <johne@sovereign.co.nz> wrote in message
news:3cd1d3bf.14373618@news.clear.net.nz...
> On Thu, 2 May 2002 09:56:20 +0100, "Zoltan Glozik"
> <zglozik@s_t_o_n_e_s.com> wrote:
>...
> Am I missing something here? I thought that SSL is designed for
> e-commerce - IOW it provides the "customer" with some assurance that
> the web-site is (more or less) legitimate, and (once the
> certificate-based handshake is complete) it ensures that traffic
> flowing both ways is encrypted... thus protecting passwords, credit
> card, and other sensitive information.
>
> That is as far as the SSL authentication goes. It is, surely, up to
> the person requiring "inbound" authentication (typically the merchant
> / site owner) to handle successful and unsuccessful authentication
> attempts.

Well, SSL is able to authenticate the clients, too, with client X.509
certificates, which is supposed to be a strong authentication mechanism, but
it is not always feasible to distribute certificates to clients. Sometimes a
login/password is more practical.

>
> If the authentication process gives access to local resources and
> incorporates a login and password, then whatever process is running on
> the "connectee" end should be able to log failed attempts, maintain
> counts, disable an account in the event of more than a specified
> number of consecutive failures, and so on in the usual way. It is
> (probably) also possible to set cookies at the remote end indicating
> the times of the most recent "n" failed login attempts, although it
> wouldn't be safe to rely on these.

Yes, the server side should be able to log the failed client authentication
attempts and disable the account if necessary. That's what I am looking for,
a solution for Apache that supports this feature out of the box...

Regards,
Zoltan

Relevant Pages

  • RE: IAS server blues (Cant get 802.1x to work)
    ... clients. ... and it appears that the certificates are deploying correctly. ... Proxy-Policy-Name = Use Windows authentication for all users ... IAS Log Sample ...
    (microsoft.public.windows.server.general)
  • Re: Weird IAS error with EAP-TLS
    ... computer certificates to authenticate Wireless clients a while back. ... NT-SAM Authentication handler received request for TEST\LAPTOP$. ...
    (microsoft.public.internet.radius)
  • Re: SSL & Certificates or Windows Auth
    ... Are you talking about client and server certificates? ... Is using Integrated Windows Authentication with SSL as ... secure as SSL with certificates? ... :>Is you are using something like "Basic Authentication" to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Can SSL sessions be compromised?
    ... the proxy machine -- if I enable local cookies for authentication this ... your "SSL server" machine may be trying to catch some simple types of ... information carried by the digital certificates was ... clicking on any RFC number, brings up that RFC in the lower RFC summary ...
    (comp.security.misc)
  • Weird IAS error with EAP-TLS
    ... computer certificates to authenticate Wireless clients a while back. ... Proxy-Policy-Name = Use Windows authentication for all users ... NT-SAM Authentication handler received request for TEST\LAPTOP$. ... I've made sure that the certificates listed on http://support.microsoft.com/kb/293781/ ...
    (microsoft.public.internet.radius)