Home page logo

basics logo Security Basics mailing list archives

Re: Authentication question & problem
From: Nick Owen <nickowen () mindspring com>
Date: Fri, 25 Apr 2008 09:23:30 -0400

evilwon12 () yahoo com wrote:
Here is what my developers are wanting to do, and I cannot think of a
secure way to do this.

Have a user (at home) authenticate against our LDAP through a company
portal/site and have that authentication information passed to an
external vendor, allowing the user at home to utilize the application
from home after being authenticated.

So, it's user at site A, authenticating with site B, and the user at
site A using the application (after authentiation) at site C.

Sorry for being long winded, but everything there screams MITM to me.
I am probably missing something easy.
(Apologies if this is duped - originally sent 4.22.08)

Every internet app is susceptible to MITM without some form of strong
mutual authentication.  User issues with certificates are well documented.

Seems to be the best way to do this is to do the mutual authentication
between the user (site a) and the application (site C) which then
proxies the authentication request to your ldap server (Site B) over an
SSL encrypted link.

If you perform the mutual authentication at your site (B), then you
would tunnel the access to the app on C to avoid a MITM there.  You
could probably do some form of federation, but I assuming that would be
too complex.


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]