[Owasp-ireland] client-side ssl certs?

John Marmelstein john.marmelstein at gmail.com
Fri Aug 12 07:05:48 EDT 2011


Hi All,

Wow, thanks for all the responses.

Federated id (Peter McE). Like a single-sign-on (SSO)? The world would
be a better, more interoperable place if we had one available. I am
toying with the idea of suggesting linking with a public SSO thing.
This would basically mean letting people log in using their Facebook
or Gmail accounts. But, to quote from Father Jack, I think “that would
be an ecumenical matter”.

As pointed out by Alexis, choice of solution depends on the context,
like the value or sensitivity of the data. In this case, the level of
sensitivity is not top-of-the-scale (further detail available
off-line).

In terms of a compromise leading to data fraudulently inserted/updated
to the system, we could rely on these fraudulent actions being
remedied later if they can be detected. I think that’s important,
because in some contexts, actions cannot be undone. Like, in an
application which (let’s say) launches missiles, it’s not great to
rely on a fraudulent missile-launch being remedied later.

Two-layer auth, A username/password, followed by a second page asking
for a second password or PIN (Eoin K and Romans M).  This might have
the psychological effect of suggesting the credentials should not be
passed around.

A likely candidate solution might be to detect if a user is logging in
from a new computer (ie Romans thing, or just plaintext persistent
browser cookie). In this case, the user would be verified with a phone
call.

>> (Alexis) What about doing something with mobile phones/SMS?
Interesting. What might this be? Like, requesting a temporary password
via SMS? (In fact, I’ve got another job going on where this might fit.
In the other project, there is a much larger user population. These
folks rarely log in, so can’t be expected to maintain a password. But
they mostly have mobile phones)

Anyway, I’m off surfing for a week in Lahinch, and will duly weigh up
these options between sessions.

thanks again, and full marks for team effort!
JM


More information about the Owasp-ireland mailing list