User: Password:
|
|
Subscribe / Log in / New account

Cryptographic splicing makes for a Wordpress vulnerability

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 10:57 UTC (Thu) by ewan (subscriber, #5533)
Parent article: Cryptographic splicing makes for a Wordpress vulnerability

IMHO the best way of authenticating to a website is to use SSL with a 
client certificate; it's nicely secure and you never get asked for a 
password by a website, only by your own browser, and (usually) only after 
a restart.

Clearly, it's not universally available, but where it is it's a very 
slick solution.


(Log in to post comments)

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 8:19 UTC (Fri) by jschrod (subscriber, #1646) [Link]

It's a hassle if you have several identities against different web applications, i.e.,
multiple certificates. Automatic certificate selection doesn't work then, as no realm concept
as in baseauth exists. You can read about a bunch of problems at
http://wiki.mozilla.org/PSM:CertPrompt

There is also the `logout' problem, just as in base auth; i.e., if you want to use different
SSL certs against the same web app. This is especially neeeded during development, to simulate
different users with differen roles. Currently, one needs several browser instances with
different profiles for that (each of them eating up 100s of MBs.)

In addition, manual cert selection is a drag, if you have a Web server that authenticates only
part of its Web site. When you first access some other part of the Web server, the SSL
connection is established. When you then link to the protected area, the SSL connection must
be renogetiated, and that doesn't properly work in many older browsers.

Oh yes, and moving a whole site to https might not be advisable either, for performance
reasons.

I don't even want to start about the problems to set up a revocation process properly. After
all, you want to be able to re-issue a cert to a client when it got stolen or so. Since you
will have the same X.509 fields, more or less, revocation lists is the only way to go. Have a
lot of fun with them.

IMNSHO, client certs are also not a good solution to the client authentication problem. Been
there, done that, lots of problems. :-)

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 16, 2008 12:30 UTC (Fri) by robbe (subscriber, #16131) [Link]

> Automatic certificate selection doesn't work then, as no realm concept
as in baseauth exists.

That's not true. If a server requests a client certificate, it has to 
send a list of "acceptable" CAs. The client is supposed to use a cert 
that is signed by one of those. If you plan your environment carefully 
automatic selection can work (except for IE which apparently is too dumb 
to heed the acceptable CA list and always shows all certificates to to 
the user).

I agree with most of your other points. Setting up proper 
authentification via client certificates is a complicated mess.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds