tags:

views:

217

answers:

4
+1  Q: 

Why should I authenticate a client using a certificate?

I'm implementing a client with python's twisted that checks the server ssl certificate when connecting, following basically this recipe. I've seen in many HOWTOs such as this one the server checking the client's authenticity through a ssl certificate as well. Currently i authenticate my clients using an unique id and 1024 char string (they are automated clients without human interaction).

What I don't understand is what reason would I have to use the whole ssl thing for this instead of just sending the "password" to the server. After all the connection is already ssl encrypted, checking the server certificate and everything. This is a similar question but I want to know why people use ssl client certs and not just what is the best way to do it instead.

A: 

Checking the certificate ensures that you are connecting to who you expect to be connecting to. It prevents a "man in the middle" attack.

See http://www.thoughtcrime.org/software/sslsniff/ for a related case where clients were not correctly checking the certificate chain, resulting in a pretty easy way to exploit SSL using a man-in-the-middle attack.

Marc Novakowski  2010-01-29 19:04:06
Right, in this case, the channels between the client and the middle-man and middle-man and server were still secure, the client just didn't validate the certificate. The server doesn't care - if the server could check client certificates, in e.g. a non-public application or some application where certificates are issued and signed as expected, this would not be possible.
Cade Roux  2010-01-29 19:15:55
A: 

Owning SSL certificates that are signed by a certificate authority means that the SSL certificate owners have gone through the hassle of being verified by the CA that the owner is who they say they are. For instance, if you have an ecommerce store called widgetsdeluxe.com and you have a certificate for the domain widgetsdeluxe.com that has been signed by Verisign, et. Al., shoppers will know that when they go to that site and the name on the certificate matches the actual domain name they went to, then they can trust that the information is secured and is coming from the widgetsdeluxe.com domain (this is to prevent spoofing and man-in-the-middle attacks).

Andrew Sledge  2010-01-29 19:06:25
This answer only addresses server certificates, the OP was asking why a client-side certificate would be useful.
Cade Roux  2010-01-29 19:08:20
+1  A: 

A client certificate restricts access to people authorized with certificates. Assuming your certificates are distributed and managed correctly, this makes it more difficult to connect from an unauthorized location (or say, a bot network), since you need more than just a username and password.

Client-side certificates are a potential part of a defense-in-depth strategy, if you are in an environment where you can manage client certificates.

Cade Roux  2010-01-29 19:07:06
The client is checking the server certificate so a connection can only be done with the real server. If the connection is encrypted using the server ssl setup can someone still make a mitm attack? I suppose a client certificate could make it harder to ddos my server with invalid auth requests but I'm not sure. What I mean is it seems to me the client certificate is basically a fancy password, I don't see the difference. Thanks for your answer.
Plinio  2010-01-29 19:27:32
MITM attack is not supposed to possible with SSL (check server certificates, obviously). However, a username/password is easily divulged. So for another layer, a client certificate is more than a fancy user/password - it is a signed artifact with a distribution management system and revocation, etc. With an ordinary username/password, you can try different password attacks from multiple machines without needing a certificate. Client certificates are for another level of security - usually only possible in a controlled environment.
Cade Roux  2010-01-29 19:34:11
Yes, the management and distribution of certificates is the tricky part.
Marc Novakowski  2010-01-29 19:36:55
+1  A: 

Certificates are easy to revoke. Passwords can be stolen, but stealing a client side certificate would be much harder.

Greg  2010-01-29 19:41:31
The client I wrote doesn't need any human input, so the password is already in a text file the client reads and sends to the server. If someone can steal the password file they can steal the client cert file as well. If I need to "revoke" the client password I can just change it on the database/whatever. So in this case, what are the advantages of using a cert over a pwd string on a file?
Plinio  2010-01-29 19:50:21
Is the password sent over the wire in cleartext? If yes, it can be stolen. Most OS store client certificates in an encrypted store specific to the login used.
Greg  2010-01-29 19:53:58

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication