Re: VPN vs SSL client side certificates

From: Michael Sharman (msharman_at_internode.on.net)
Date: 09/09/05

  • Next message: speeder: "Re: AV Choice??" 
    Date: Fri, 09 Sep 2005 10:14:19 +1000

    Volker Birk wrote:
    > In comp.security.misc Michael Sharman <msharman@internode.on.net> wrote:
    >
    >>To lower the risk of password compromise I'm planning to use client side
    >>certificates to authenticate as well as the passwords, so that a
    >>stolen/cracked password isn't enough.
    >
    >
    > If you're authenticating the clients with certificates, authenticating the
    > server with a certificate, and have an SSL connection, then I cannot see,
    > why using passwords at all.

    The authorised client machine is likely to be in a office environment
    where different users might have a different role on the system.

    And also it stops anyone who might have been given access to the client
    machine from having immediate access to the web system (they'd have to
    know the password as well).

    I was also thinking along the lines of the client machine being
    compromised and used as an avenue to access the system, the passwords
    would provide one extra step.

    Does this make sense?

    >
    >
    >>Is a VPN useful given that I'm using SSL in this circumstance?
    >
    >
    > Maybe.
    >
    >
    >>What security does IPSEC provide that SSL doesn't?
    >
    >
    > Used in this way, tunnelling with IPSEC hides which service who is using.
    >

    Ah thanks, yes that makes sense, I'm not sure if it matters in this
    case. From my reading I think IPSEC can also stop the IP header from
    being tampered with (AH packets) what does this protect us from in this
    instance?

    >
    >>Would the IPSEC implementation in a firewall appliance be more trust
    >>worthy than Apache-SSL?
    >
    >
    > It depends.
    >
    > F'up2here, because this is not ssh, what we're talking about.
    >
    > Yours,
    > VB.

    Thanks,

    Michael

  • Next message: speeder: "Re: AV Choice??"

    Relevant Pages

    • Re: VPN vs SSL client side certificates
      ... >> If you're authenticating the clients with certificates, ... Roles can be authenticated with certificates also. ... compromizing the client machine is enough ...
      (comp.security.misc)
    • Re: VPN vs SSL client side certificates
      ... > To lower the risk of password compromise I'm planning to use client side ... If you're authenticating the clients with certificates, ...
      (comp.security.misc)
    • Re: VPN vs SSL client side certificates
      ... > To lower the risk of password compromise I'm planning to use client side ... If you're authenticating the clients with certificates, ...
      (comp.security.ssh)
    • Re: Choosing which way to secure WLANs (IAS, WPA and certs or passwd)
      ... certificates demands a PKI infrastructure whether this be an internal MS ... windows CA or a third party CA. ... The idea behind certificates is that client A trusts client B certificate ... certs and Securing using PEAP and passwords. ...
      (microsoft.public.windows.server.networking)
    • Re: Repeated NetLogon 3210 errors on certain W2K AD clients
      ... If the passwords are becoming out-of-sync then there's usually a name ... resolution or network problem stopping the client from authenticating and ...
      (microsoft.public.windows.server.active_directory)