SSL Client Authentication

[Guest]

I'm not sure if I'm posting the correct place. I posted it somewhere else,
but someone told me to post it at another place.

Anyway, some background first. I am currently building a web application for
my company. This application is going to be hosted with an ISP on a shared
server. And my company doesn't have a static IP.

I want to make part of my web application such that only my company's
computer can access (something like an 'intranet'). Since we don't have a
static IP, maybe we can save a file on my company's computer, so when a user
access this part, the server will locate this file in the client's computer
and so on.

I've read up about SSL, and about configuring a web application to require
client
certificates. So this is how I understand it. Please correct me if I'm wrong.

1. Firstly, I need to go to a certificate authority's web site to apply for
the certificates. The authority will request a CSR file. So, if I'm putting
my web application on an ISP's web server, my ISP will have to generate the
CSR file for me?

2. I'll receive my server certificate from the authority. My ISP will have
to install the certificate on the web server I'm putting the web application
on.

3. My ISP will also have to configure the IIS Settings of the folder where I
put the part of my application that I want to restrict access, so that client
certificate authentication is enabled.

4. I've to install the client certificate on my company's computer's web
browser.

Thus far, please tell me if any step is wrong.

What I don't understand is the last step: Installing the client certificate.

Will I get a client certificate from the certificate authority? Where
can I get it? Is this client certificate unique? If not, if
someone else's computer also has this client certifcate installed, won't he
be able to get through? Will client certificate authentication
won't help solve my problem?

Sorry for making this so long. Please kindly advise. Thank you.

 

[Nicole Calinoiu]

1. Firstly, I need to go to a certificate authority's web site to apply
for
the certificates. The authority will request a CSR file. So, if I'm
putting
my web application on an ISP's web server, my ISP will have to generate
the
CSR file for me?

No, you can generate the CSR yourself using a different machine. In fact,
this would be the generally preferred approach since it will give you better
control of the private key and ensure that you can take the certificate with
you if you change ISPs. However, before choosing any given approach, you
should check with your current ISP to see what approach(es) they are willing
to support.

2. I'll receive my server certificate from the authority. My ISP will have
to install the certificate on the web server I'm putting the web
application
on.

Yes. However, unless you are actively involved in this installation, your
ISP will gain access to the private key. Depending on your ISP and service
plan, you may or may not have the option to be participate so as to minimize
the exposure of your private key.

There may also be additional considerations related to your site's hosting.
Depending on how you ISP deals with SSL for shared hosting sites,
introduction of SSL for your site may require bumping up to a more expensive
hosting plan. Obviously, you should discuss this with the ISP before making
any final decisions regarding your approach.

3. My ISP will also have to configure the IIS Settings of the folder where
I
put the part of my application that I want to restrict access, so that
client
certificate authentication is enabled.
Yes.


4. I've to install the client certificate on my company's computer's web
browser.

For a single client machine, this would be the simplest approach.

Thus far, please tell me if any step is wrong.

What I don't understand is the last step: Installing the client
certificate.

Will I get a client certificate from the certificate authority?
Where can I get it?

Some commercial CAs do offer this service. Your ISP is also another
potential source.

Is this client certificate unique?

It is at the time of issuing. If you don't keep it safe from sharing after
it's issued, it won't be.

If not, if
someone else's computer also has this client certifcate installed, won't
he
be able to get through?
Yup.


Will client certificate authentication
won't help solve my problem?

Given the potential complexity of implementing an approach based on client
certificates in a shared hosting scenario, I wouldn't recommend it unless
there's really no alternative. I'm guessing that there are better solutions
in your case, but it's a little difficult to tell from your description of
the problem. A few questions...

1. Do you really want to ensure that only one physical machine can connect
to the relevant portion of your application?
2. Is it OK for multiple staff members to use this portion of the
application, or are you trying to limit it to a single staff member?
3. Do you really want the application to be accessible only from within the
company's physical premises, or would it be OK for at least some staff to
access it from elsewhere?

 

[Guest]

Thank you for your reply~ I'm truly touched... Here is my reply,

1. Do you really want to ensure that only one physical machine can connect
to the relevant portion of your application?

Yes, or perhaps not one, but only selective computers within my company's
physical premises.

2. Is it OK for multiple staff members to use this portion of the
application, or are you trying to limit it to a single staff member?

Any staff with a user account and password with the system can use this
portion of the application.

3. Do you really want the application to be accessible only from within the
company's physical premises, or would it be OK for at least some staff to
access it from elsewhere?

I think my director wishes to make the application to be accessible only
from within the company's physical premises. That's the start of all
problems... We don't have static IP, we don't have a web server and a
database server, and I don't think they are willing to invest on those.

Anyway, all the ISP I contact with, discouraged me to use SSL client
authentication. They said that form authentication with SSL should be be
secure enough. And my manager said that it should be able for an application
to detect a network card on the client PC, and find its number. But I don't
think it's possible, am I right?

How? What should I do? Please help...

 

[Nicole Calinoiu]

Thank you for your reply~ I'm truly touched... Here is my reply,

Yes, or perhaps not one, but only selective computers within my company's
physical premises.

Is it possible to reach any of these from outside the network using any type
of remote desktop functionality? If so, anyone who can take advantage of
this will be able to use your "limited" portion of the application even when
they're physically located elsewhere.

Any staff with a user account and password with the system can use this
portion of the application.

I think my director wishes to make the application to be accessible only
from within the company's physical premises.

What would he/she say if the CEO requested access to this portion of the
application when working from home?

That's the start of all
problems... We don't have static IP, we don't have a web server and a
database server, and I don't think they are willing to invest on those.

Any one of these options might actually be cheaper than using the client
certificate approach, particularly when you consider that you might need to
upgrade your hosting plan. Have you actually looked into how much a static
IP would cost?

Anyway, all the ISP I contact with, discouraged me to use SSL client
authentication.

Personally, I would discourage this approach as well.

They said that form authentication with SSL should be be
secure enough.

While it sounds like your application should probably be performing user
authentication of some type regardless, it won't do anything to limit
callers to your physical premises.

And my manager said that it should be able for an application
to detect a network card on the client PC, and find its number. But I
don't
think it's possible, am I right?

Not in any way that can't be spoofed quite easily. If you're looking for
something really cheap and are willing to tolerate some additional
dependencies and risk, you might want to consider using service like
dyndns.org to map your dynamic IP to a static name. This would allow your
application to verify whether the caller's IP address matches the name's IP
address at any given time. Of course, making this verification will incur a
pretty big performance hit, so you'll probably want to cache the result of
the verification for at least a few minutes. Also, since it's possible for
the service you'll be verifying against to go down, you'll need to decide
how to handle requests that you can't verify. Please note that I'm not
advocating this solution (IMO, it's pretty sucky), but it at least has the
benefit of very low cost, which seems to be a driving factor on your end.

 

[Guest]

I really have to thank you for your advice. I was feeling so helpless and
don't know which direction to go before you replied.

Is it possible to reach any of these from outside the network using any type
of remote desktop functionality? If so, anyone who can take advantage of
this will be able to use your "limited" portion of the application even when
they're physically located elsewhere.

My company does not allow anyone to access the company's information
outside, hence they don't allow any of us to use any remote desktop
functionality.

What would he/she say if the CEO requested access to this portion of the
application when working from home?

Actually this portion only includes functions like assigning passwords to
members, responding to customer's requests and printing report. So, I don't
think the CEO will request access to this portion, as only the sales
department and that director will use it.

Have you actually looked into how much a static IP would cost?

My manager told me that investing on a static IP address will cost more than
US$700 a month in my country, which is really very expensive. But... recently
my CEO asked my manager to make the CCTV (live video of more than 10 security
cameras) online; something like a live webcast from many, many cameras (They
always have so many "creative" ideas). I have completely no idea how to do
that, and I don't know how my manager is going to resolve it, but I think
most probably they need a static IP as well, or ask for help from the CCTV
provider.

Anyway, am I right to say that I can only use either a static IP address, or
a dynamic DNS? Then, I can use either the IIS Manager's security feature (one
ISP suggests), or the ISP's firewall feature to restrict access based on
IP/domain name? But comparing static IP with dynamic DNS, static IP will be a
lot more reliable? Will these 2 ways incur a big performance hit as well?

 

[Guest]

I've got a quotation, and it cost around USD200 per month to get a static IP.
That's a lot cheaper than what i thought it was. Thanks anyway.