Security Basics mailing list archives
RE: Secure web site access and PKI Certs
From: "Joshua Berry" <jberry () PENSON COM>
Date: Thu, 28 Apr 2005 15:24:08 -0500
In this case you would want the certificate created under the Domain users account, not a local user on the pc. That way you have to authenticate to the domain, and that password cannot be changed with a bootup disk. -----Original Message----- From: Justin Roysdon [mailto:justin () roysdon net] Sent: Wednesday, April 27, 2005 10:24 PM To: Keenan Smith; security-basics () securityfocus com Subject: Re: Secure web site access and PKI Certs Last I checked, if someone has local access to your system, then it's not very difficult to change your password (with a boot disk) and then proceed to login as your user. It sounds like a poor way to authenticate. The benefit of the seperate authentication is lost. Crypto Geek ---------- Original Message ----------- From: "Keenan Smith" <kc_smith () clark net> To: <security-basics () securityfocus com> Sent: Wed, 27 Apr 2005 11:12:02 -0400 Subject: Secure web site access and PKI Certs
All, I have access to a secure web site. It used to require a PKI Cert to identify the user and then a standard username/password login to authenticate. Recently a change was made to the site that allows the supplying of a PKI Subject CN Fragment to a user "profile" on the site. In this case, the certificate not only identifies the user but authenticates as well. The end result is an "auto-login" feature that in effect, keeps me logged in all the time. Anybody sitting at my machine and logged in as me (Windows XP) can access the web site as me. At first glance this seems like it's a reasonable way to accomplish a secure access to the web site. Installing the certificate as me ties it to my profile and makes it unavailable to other users on my machine and since the use of the certificate requires a user to login as me, it moves the authentication piece from the web site to the Windows domain. This seems to some extent like "security through obscurity" and also substituting convenience for security, an all-to-common problem. Since it's my security-cleared neck on the line, I'd rather be too concerned rather than not concerned enough. So I'm asking the collective wisdom of the list to consider. Is PKI's single sign-on capability reasonable? Is this implementation
adequate?
Thoughts? Opinions? Critiques? Thanks Keenan Smith
------- End of Original Message -------
Current thread:
- Re: Secure web site access and PKI Certs Scott Schwendinger (Apr 28)
- RE: Secure web site access and PKI Certs Robert Hines (Apr 29)
- <Possible follow-ups>
- RE: Secure web site access and PKI Certs Joshua Berry (Apr 29)