On 29 January 2010 01:38, Ori Berger <linux...@orib.net> wrote: > Amos Shapira wrote: >> >> What are you refering to by "server certificates, client certificates, >> RSA tokens etc"? Are you talking about DNS-SEC or just general web >> server security practices? >> > > General web server security practices; A server certificate tells the client > that this server has been trusted by a known certificate authority to serve > a specific domain. That's not perfect, as hackers have already demonstrated > being able to get certificates for domains they do not own, and a specific > certificate signing bug (since patched) allowed certificates for specially > crafted domain names to pass as certificates for other domains. > > It does, however, make life harder for the hacker and works well against > simple "man-in-the-middle" attack.
Thanks. I'm aware of all that. > > A client certificate proves to your server that the client posses a > certificate, without sending it online. This provides some defense against a > man-in-the-middle attack or keyboard logging/password sniffing -- but of > course, not helpful if the client machine was compromised and rooted. Aware of that too. We'll include client certificate as an authentication option for our API servers at some stage. > > RSA tokens (I'm sure there are other manufacturers) are small devices, > usually credit card sized, that display a password that keeps changing every > minute. Identity is verified by the client having access to the up to date > password at log-in times and when performing sensitive actions. Also aware, not relevant in our case (we are aiming for self-service). > >> I'm at the "reading the brochure" stage and google'ing a bit about >> them but one of the points I think I got through is that they have >> their own servers and cooperation with major ISP's in many places >> around the world in order to reduce the exposure to external DNS >> vulnerabilities. >> > > That sounds like good practice. Make sure that this is true regarding where > your clients are located; e.g. they might have wonderful infrastructure in > the US but not in Australia, or vice versa. > Our clients are global companies who's clients (and attackers) can come from anywhere. This last bit reminded me of another question, I'll post it on another thread. Cheers, --Amos _______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
