tags: SSL

Action executed in 0.000

Each Tag

SSL

Common tags - number of posts

authentication (2), security (2), Laura (1), registration (1), certificate (1), comment (1), x509 (1), Elwing (1), TrickleUp (1), author (1), wordpress (1), Trac (1),

2 way join

SSL, authentication, SSL, security

●●●●●○○○

Security Musings » Blog Archive » How does SSL work anyway?

tags: Laura, security, SSL
Gemini Security Solutions Logo

We talk a lot about how SSL is useful, but how exactly does it work? Most systems today use SSL v3/TLS v1 rather than “SSL”, and the nitty gritty details are found in RFC 2246. However, that’s only part of what goes on, and certificate validation and path building (RFC 4158) and X.509 certificates (RFC 5280) are also important. This post is only concerned with the SSL/TLS protocol itself, and when the other RFCs are needed “magic happens.” ...

url: http://securitymusings.com/article/1095/how-does-ssl-work-anyway

type: none, format: none

●●●●●●○○

Securing WordPress 2 Admin Access With SSL | no wow

WordPress 2.0 still does not support HTTPS access to the admin area when the rest of the blog is served via normal HTTP and I still do not like logging in to my server over unencrypted connections, especially not when using public WLANs. Getting around this WordPress limitation requires quite a few steps:

url: http://blog.blackdown.de/2006/01/22/securing-wordpress-2-admin-access-with-ssl/

type: article, format: unknown

●●●●●●○○

x509 with friendly name support

Ticket to add x509 support to Trac.

url: http://trac.edgewall.org/ticket/6982

type: unknown, format: unknown

Minor Author Changes to TrickleUp

I've made some minor changes to TrickleUp. For those of you blinking, it's the software that runs my site. The change is to the author information of posts and it's really just aligning the author ascpect of posting for a much larger authentication change later.

Previously the comment forms had 3 fields: name, email, and website -- just like most blogs. Now on those blogs, i have a problem with how easy it is to impersonate somone. I doubt it would happen among my friends, but if TrickleUp ever entered widespread usage, some other people may appreciate that feature.

When someone entered their name, email, and website trio, TrickleUp would create an account in the database, and send a cookie to the user. This is great for new users, but most people posting to my site are returning users.

I realized this form is not the new user registration form, even if it was a form within a form. So the registration form is separate. The comment form always allows an anonymous posting. If you're logged in to my site you may also attribute your comment to yourself.

In terms of code, it's cleaner this way.

With all that cleared up, i can focus on the real work, SSL client authentication. Just think, if we each had an SSL certificate, we wouldn't need numerous passwords.

Client Certificate Verification

So someone around here is to lazy to pick up his/her cookie before leaving a comment on my site. They clear their cookies monthly. I don't want to have just a form where you put your name, email address, and website, because that could allow someone to impersonate another person. And i'd like to avoid forcing readers to have another passwords. So.

The solution presented itself while discussing the issue with Laura. Take advantage of SSL. Normally when you visit a commercial web site to make a purchase, you verify that you are really talking to that company, because they provide a certificate, and this cert is signed by a well known certificate (like Verisign) and your browser already trusts that cert.

But SSL is a two way authentication system. What i propose is the converse. When a reader wants to leave a comment on my site, they may provide their cert. If it's signed by a well known cert, great; if not then i'll need to verify it (it's fingerprint at least) somehow. This is a one time event.

When they come to the site with a cert that i eventually trust, i'll just let them post the comment. There's no need for a password. I may not even need to ask for their username.

I think it's about time my so called "security conscious" friends and i deploy such a system. Hehe, but does their canned blogging software have this ability?

What if my to-be commentators don't have certificates? Well then it's back to tokens over email, passwords, or posting anonymously.