re: advice needed - secure transfer of client details

[Tim James <jimtames () yahoo com>]

Hey everyone,

A massive thank you to everyone that took the time to
consider my problem, which I stated at the time as
"securing the transfer of details from an untrusted
client to a trusted server". 

I received many replies, all thought-provoking and
many of them that must have taken serious
consideration.

Many people pointed out, as often happens, that I was
probably asking the wrong question, and that I needed
to think about what I was trying to achieve - what
assets were being protected? What was the cost of
leaving them unprotected? Well, I can't really answer
that last question in this forum but the first
question made me realise that I had two main
requirements. Firstly, that only authorised
workstations could use my web application, and
secondly, that the data the workstations supplied to
the server were accurate and not interfered with or
fabricated.

The quality of answers was amazing. Some people took
the question onto new levels - thanks Glenn and Keith
! - and others kept it simple (stand up Andrew
Sledge!) 

What I've learned is....

1) Some form of digital certificate on each authorised
client goes a long way towards increased trust of the
client. Combine this with access control to the
authorised workstations to prevent exporting of
certificates and impersonating an authorised
workstation is getting much harder.

2) An applet is not the right way to generate the
transfer of workstation details.

3) If you must transfer the details, use something
which is difficult to reverse engineer.

4) Try and avoid having to transfer any details if you
can - maybe by pre-registering the workstation details
in a secure way.

Still more questions than answers but I'm a lot
further forward.

Thanks again,

Tim



        
        
                
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! 
http://uk.messenger.yahoo.com