Re: SSL & Basic Authentication
- From: BigSam <BigSam@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 16 Aug 2008 09:28:00 -0700
Thanks - I better understand your earlier comments.
To address some of the concerns you've listed:
Yes the user ID & password are cached on the mobile device & yes these are
transmitted over a wireless connection. I've already undertanken an
initiative to address this concern - 2-factor authentication initiated by a
wired connection using a client certificate.
The other items you listed are not issues of concern.
Furthermore, I've taking steps to isolate the user's access on the IIS
server, so that the activities it can perform are at the barest level
possible. This user account may only access the files associated with the web
pages requiring Basic Authentication; this account cannot write to any folder
on the system; I'm investigating the possibility of denying this account the
privledge to exec anything on the system as well.
There is no sensitive information being passed between the mobile device &
the server.
The driving force behind this is PCI DSS compliance & my own requirements,
which in some cases are more stringent than those demanded by PCI.
The orginal purpose of my question was to gather supporting information to
allow me to push not only developers but also mangment for a stonger
solution, not just one that may be acceptable to them.
Thanks for your replies - you have given me some information to construct my
arguments with.
Big Sam
"David Wang" wrote:
Well, in relative terms, using SSL to encrypt the transport of data is.
"more" secure than no encryption. And more bits is more secure than
less bits. And how do you know if 1024bits is enough? Well, that all
depends on your security tolerance!
However, transport of data/credentials and the number of bits for
encryption is far from the whole story of the "security process".
Consider:
- Does the client cache those credentials and if so, how is that
secured?
- Is the actual username/password going over the wire or some one-way
hashed form of it?
- Is the actual username/password stored in memory on the server
somewhere to be accessed by unauthorized server-side code?
- Is the server authorized to cache and replay that username/password
to another server (i.e. delegation)
All it takes is one insecure link in security for the entire system to
be considered insecure. You can use 1 billion bit encryption, but if
the client or server caches the username/password in the clear, the
encryption is useless.
Also, the security of the system is NOT merely the security of its
parts -- i.e. making sure each link of a system is "more secure" does
NOT ensure that the entire system is "more secure".
System Security depends on all the links to be secure as well as
interaction between all the links to be secure.
Thus, asking about the relative security of sending username/password
over SSL is quite incomplete. It is even harder without defining your
own security threshold and tolerance.
For the sake of your question -- using Basic over SSL is more secure,
but without knowing your security requirements, it is hard to advise
whether you should look for better methods. You don't even have a
criteria to determine if your current method is secure enough, let
alone determine if you need more. More security is not always better
because security is not absolute -- it is a gradient that requires
matching security required and security provided.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Aug 15, 5:24 am, BigSam <Big...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I suppose I was asking in relative terms. Since we need some form of
authentication, how does Basic Authentication with SSL using a 1024 bit key
rate to some of the other forms of authentication? I understand that Basic
Authentication by itself isn't considered secure by any measure, but when
adding SSL to the mix how much does that increase the security, since the
user ID & password are now encrypted? I assume the user ID & password are
encrypted, please correct me if I'm wrong on that matter.
Thanks,
BigSam
"David Wang" wrote:
On Aug 14, 12:53 pm, BigSam <Big...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
We've a web site that has a certificate in use & all pages are using SSL.
Some pages are configured to use Basic Authentication; we're connecting to
these with mobile devices.
How secure is the process? Should I look for better methods?
You need to first define your security threshold and tolerence before
asking/evaluating the security of any configuration.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//- Hide quoted text -
- Show quoted text -
- Follow-Ups:
- Re: SSL & Basic Authentication
- From: David Wang
- Re: SSL & Basic Authentication
- References:
- SSL & Basic Authentication
- From: BigSam
- Re: SSL & Basic Authentication
- From: David Wang
- Re: SSL & Basic Authentication
- From: BigSam
- Re: SSL & Basic Authentication
- From: David Wang
- SSL & Basic Authentication
- Prev by Date: Re: IIS 6 & UNC Share Scurity Issue
- Next by Date: Re: SSL & Basic Authentication
- Previous by thread: Re: SSL & Basic Authentication
- Next by thread: Re: SSL & Basic Authentication
- Index(es):
Relevant Pages
|
