Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Frackin script kiddies!!



On Tue, Aug 3, 2010 at 2:58 PM, Richard Pieri <richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Aug 3, 2010, at 2:06 PM, Jarod Wilson wrote:
>>
>> I have a public-facing web server. One of the things it serves up is
>> mythweb. I require access to mythweb to go over ssl with
>> authentication. What else would you propose that I do, short of not
>> running mythweb on a public-facing web server?
>
> Take a step back for a second and look at what SSL does: it encrypts the end to end communication between your public facing web server and the remote browser. ?This ensures that the communication is secure but it does nothing to ensure that the browser making the connection is authorized to do so.

Yeah, that would be what the http auth-digest part is for. So am I to
understand correctly that your main opposition to this approach is
that the auth happens *after* the encryption channel is established,
rather than being a requirement to bring up the encryption channel?

> Now look at what SSH and VPNs do: they encrypt the end to end communication *and* they authenticate the user trying to communicate. ?This is what you are missing: authentication on the communication link. ?So, what you need to do is put some kind of authentication there.

So am I to presume you never use online banking and never shop online then?

> You can do this easily with SSH tunnels if you require PK auth and secure your keys with passwords, and then allow HTTP connections to your web front end only from within your private network.

Requires an ssh client on the device accessing the server and doesn't
meet the requirement I set forth of not running mythweb on a
public-facing web server.

> You can do it with X.509 certificates with TLS but this requires setting up a certificate authority for your network. ?IMO this is overkill for a home network but is the right answer for larger networks (corporate, school, etc). ?The using this mechanism you configure the web server to require X.509 authentication before it will even consider talking to you.

This is the only route of the three you propose that might actually be
viable within the parameters I gave, though having to maintain a CA
and distribute certs does sound rather cumbersome.

> You can do it with a VPN. ?As with SSH tunnels you configure the web server to only accept connections from the internal network.

Requires a vpn client and the web server not public-facing.

-- 
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org







BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org