473,320 Members | 2,080 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Certificates? Need guidance...

Hi,

This is one of those posts where not only do I not know the answer, I
don't fully understand the *question* that I should be asking... but I'll
try my best:

I've designed a web site which authenticates users via a login page. The
users can then access their account information. The types of reports that
the user can run depend upon the user's access level. I'm currently storing
all usernames, passwords, and access levels in a SQL Server database. I've
been told that the web site needs to be made more "secure" in two ways:

1) ALL web requests/responses need to be encrypted via SSL.
2) A certain class of users, those with the highest access level, need
to authenticated in a manner that is more sophisticated than a simple
username/password.

Now #1 was pretty straight-forward. I purchased a digital certificate
from Thawte. I bound it to the ISA listener interface. All SSL connections
are now terminated at the firewall and forwarded to the internal web server
as plain HTTP. Great!

I'm stumped on #2 though. I've done some research and have learned that
there are at least two ways to add EXTRA security to web sites. I can a)
require client certificates and/or b) require the use of a smart card. Can
anyone point me in the right direction on either of these options? Does ISA
need to be configured in a particular way to allow certificate and/or smart
card information to pass through? When ISA "bridges" the connection from SSL
to plain HTTP, will this information be lost in transit? Is my ASP.NET web
site supposed to ask the user to "swipe your smart card now?" If so, since
this action is taking place on the client side, how will my ASP.NET page
know when the swipe has taken place? How is the data transmitted? I'm
utterly confused.

Mr. David


Nov 19 '05 #1
2 1290
If you must, go for the client-certificates; less cost, less hassle.
Granted, client-certificates will be their own pain. If you have the
option, push back on the whole idea of "EXTRA" security; it sounds like
someone in upper management learned a new buzzword. If you want extra
security, *don't* use a web-based solution. You're already spending most
of your time dealing with Html limitations. If you have to add
certificates, you're going to have to add even more time figuring out
how to make this new security level maintainable (if you did smart
cards, you've got to track the cards, other hardware, etc.) ---ick.

Larry David wrote:
[snip]
2) A certain class of users, those with the highest access level, need
to authenticated in a manner that is more sophisticated than a simple
username/password. [snip] I'm stumped on #2 though. I've done some research and have learned that
there are at least two ways to add EXTRA security to web sites. I can a)
require client certificates and/or b) require the use of a smart card. Can
anyone point me in the right direction on either of these options? Does ISA
need to be configured in a particular way to allow certificate and/or smart
card information to pass through? When ISA "bridges" the connection from SSL
to plain HTTP, will this information be lost in transit? Is my ASP.NET web
site supposed to ask the user to "swipe your smart card now?" If so, since
this action is taking place on the client side, how will my ASP.NET page
know when the swipe has taken place? How is the data transmitted? I'm
utterly confused.

Mr. David

Nov 19 '05 #2
Yeah, this high-level security stuff is a major PITA! ...and I thought
that designing the site would be the hard part.
Nov 19 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: Sean | last post by:
Hi, I have been able to get ZServerSSL to work with the demo certs, and with some self generated. However I'm really not clear on certificates in general, and we're about to try it with real...
0
by: Ivan Zuzak | last post by:
Hello. Sorry for crossposting, but i didn't have a better idea as to where to post the question. I'm using certificates to sign and encrypt SOAP messages, using WSE in .Net. I want to do the...
1
by: Next | last post by:
Hello, I sure could use someone's help : ) I need to authenticate users and securely upload files from laptops on the internet ( not on the same domain as server ) to a server on my domain....
5
by: | last post by:
Hi all, HttpWebRequest, and SoapHttpClientProtocol both expose a ClientCertificates property, which can hold multiple client certificates, but on the service side, it can only receive one client...
0
by: George | last post by:
Hello, I need to communicate with Certification Authority (Windows 2003) to browse issued (or other groups) certificates thrue the .NET. Is it possible? Is there any solution? I have tried Web...
2
by: b.fokke | last post by:
I'd like to connect to a webservice using TLS/SSL. I have two separate client certificates: 1. A certificate for digital verification 2. A certificate for encryption. When I use the first one...
5
by: GaryDean | last post by:
I have to write an asp.net app that uses a web service requiring x.509 certificates. Are there any good docs on how to do this both in code and on the server. Most of the stuff I'm finding...
4
by: GaryDean | last post by:
I posted an earlier message on this subject and received links to some old 1.1 docs that didn't do any good. Since then I fouund a book on WSE 3.0 that tells, in some detail, how to develop a web...
1
by: bahamas | last post by:
We have a requirement where we need to enforce digital certificates on client machines. In abstract, the requirement is to have digital certificates installed in a limited set of machines in the...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.