Hello,
I'm looking for the least-intrusive for a user (as in a web-browser
client user) to access a "secure" server in order to fulfill
these goals:
1) Establish secure communication between web server and web client (so
that a 3rd party can not, among other things, steal login/password and
other sensitive info provided by either the server or client).
2) Enable the server to authenticate clients via login/password and
possibly via client IP num/range.
3) Enabled the server to authenticate clients by a means of a distributed
"key" (possibly with something like managed SSL-client
certificates).
4) Enable the client to authenticate that the server is who it claims to
be (such that a "Trojan Horse" won't steal login/passwords,
etc).
In the documentation I've read thus far, the SSL/Apache community seems
rather fixated on #4. While I suspect this is quite important, it's
*last* on my list. When trying to setup capability for #1, I am
seemingly forced to deal with all the stuff associated with #4 (if I want
to try and hide popup/warning msgs at my user's client browsers,
anyway).
Why? Why not clearly separate the 2 mechanisms? Maybe I
simply misunderstand and do not know how to do so?
I have a few more comments and questions below?
More Details
----------------
I am new to SSL and Apache web-server management, and I've been browsing
various doc sources.
I want a means to securely the communication from my web servers to my
clients (and vice versa) such that a 3rd party can not snoop/steal info
from said communication. A popular means to do this seems to be: 1)
use public/private key SSL-based encryption to provide a secure
communications channel, and 2) use Apache authentication mechanisms (like
htpasswd, IP num/range checks, etc).
I also want to do this in such a way that my users have the
least-intrusive and "comfortable" experience possible.
Read: I don't want to see the "Website Certified by an Unknown
Authority" popup window (that occurs in my Firefox 1.0PR browser); I
just want to connect to my server via my browser and get an instant,
secure, "https:"-based communication, no fuss, no muss.
So, first big question: can I do this without having to get a
formal certification from CA?
http://www.openssl.org/docs/apps/CA.pl.html
suggests that maybe I can. Alas, if not, I'm still wondering why the development community decided to mix up my goal #1 (above) with my goal #4. I see many server managers and client users who care a lot about #1 and very little about #4 (even though possibly they should?).
[An aside: It seems rather difficult to spoof a server. The only way I can think to do it is to put a rouge DNS server out on the net that remaps my server name(s) to an "evil", Trojan-horse-type server that will try suck down the authentication login/passwds for my legitimate server. Also, maybe one can "copy" the IP address and try to use it for their server, although this 2nd method seems less reliable and much more easily discoverable by me. Bottom line: do I legitimately need be concerned about server impersonation? Maybe I simply do not understand what's going on in this realm?]
The means to fulfill goal #2 above seems well documented, thorough, and cleanly implemented.
2nd Q: Even if I do get a CA cert and build in the appropriate keys/configuration on my server, will a client still see these "popup" windows?
I'm curious because I can see that my logins to places such as etrade.com and other things have secured, "https:", connections, but I for the life of me never remember having to "verify" Etrade's server identity via a browser popup window. Do they have some magic that I can easily use on my server(s)?
3rq Q: As for the client-authentication: It seems like SSL-client-key-certification is a good if not "best" route for this for beyond "login/passwd" or "IP-address-based" authentication; in other words an authentication mechanism that's tougher for someone to "steal". (Would any care to add comments?) The most-important part of this Q: I want to develop the "simplest" means for a user to do this (even if I have to do some significant work to set this up). I envision emailing a SSL-cert file "key" and simple browser-file-key-import instructions to each user; even better, it would be nice if I could provide a program that once executed will automatically install the client certificate on the user's computer/browser automatically so that said user can be verified on their next attempt to login to my secure server. Regardless, can anyone provide guides/pointers/recommendations/RTFM poi
nts?<
br>
That's all the questions I can think of for now. Thanks for reading thus far!
-Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
