[Nut-upsdev] Client certificates
Stuart D. Gathman
stuart at bmsi.com
Thu Jan 13 20:09:03 UTC 2011
On Wed, 12 Jan 2011, EmilienKia at Eaton.com wrote:
> If you think that login/password is enought to authenticate clients, I can
> remove SSL client authentication parts. It is not a problem.
If an attacker tries to get the password via man-in-the-middle, then
the client connect will fail because the server authentication will fail.
An attacker is prevented from obtaining the password via eaves-dropping
by the SSL encryption.
An attacker can get the password via other means, of course, but
those same means could obtain the client private key as well. (Unless
the other means is reading the password off a sticky note - the private
key wouldn't fit.)
One advantage to client certs is that it avoids weak passwords - but
the client could protect their private key with a weak password.
You could also assign random strong passwords to clients to avoid
weak passwords.
In general, given an authenticated server and secure connection, any security
problems with client password authentication also apply to the private key
needed for client cert authentication.
--
Stuart D. Gathman <stuart at bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
More information about the Nut-upsdev
mailing list