Security Basics mailing list archives
Re: Secure web site access and PKI Certs
From: Florian Rommel <frommel () gmail com>
Date: Thu, 28 Apr 2005 19:12:21 +0300
personally i have 2 client intranets that i access this way.it shouldnt be a BIG problem as my profile is LOCKED as soon as i leave the desk and my harddrive is encrypted.
of course it would be better with an additional username and password for a kind of 2-factor authentication, the certificate beeing what you have and the password beeing what you know. I have implemented something along those lines with S/KEY and certificate authentication which is so far the best usage but not if you need to authenticate a lot (have to check a lot of times the website and it logs you out after X minutes of inactivity etc.)
overall I dont think you should be TOO concerned if your machine is locked when you leave the desk at all times I think the company or website that implemented this "feature" of single sign on have , or at least should have, considered this risk and made a risk assessment so I guess the ball is more in their court then in yours.
cheers //Florian http://www.2blocksaway.com
All, I have access to a secure web site. It used to require a PKI Cert to identify the user and then a standard username/password login to authenticate. Recently a change was made to the site that allows the supplying of a PKI Subject CN Fragment to a user "profile" on the site. In this case, the certificate not only identifies the user but authenticates as well. The end result is an "auto-login" feature that in effect, keeps me logged in all the time. Anybody sitting at my machine and logged in as me (Windows XP) can access the web site as me. At first glance this seems like it's a reasonable way to accomplish a secure access to the web site. Installing the certificate as me ties it to my profile and makes it unavailable to other users on my machine and since the use of the certificate requires a user to login as me, it moves the authentication piece from the web site to the Windows domain. This seems to some extent like "security through obscurity" and also substituting convenience for security, an all-to-common problem. Since it's my security-cleared neck on the line, I'd rather be too concerned rather than not concerned enough. So I'm asking the collective wisdom of the list to consider. Is PKI's single sign-on capability reasonable? Is this implementation adequate? Thoughts? Opinions? Critiques? Thanks Keenan Smith
Current thread:
- RE: Password Audits Rochford, Paul (Apr 26)
- Secure web site access and PKI Certs Keenan Smith (Apr 27)
- Re: Secure web site access and PKI Certs Justin Roysdon (Apr 28)
- Re: Secure web site access and PKI Certs Rodrigo Blanco (Apr 29)
- RE: Secure web site access and PKI Certs Keenan Smith (Apr 29)
- Re: Secure web site access and PKI Certs Justin Roysdon (Apr 28)
- Re: Secure web site access and PKI Certs Florian Rommel (Apr 29)
- Secure web site access and PKI Certs Keenan Smith (Apr 27)