1 |
>> > I'm sorry, I meant can I lock down access to my web stuff so that a |
2 |
>> > particular user can only come from a particular device (or from any |
3 |
>> > device containing a key). |
4 |
>> |
5 |
> You can use apache client authentication with SSL certificates only. Of |
6 |
> course you will need to create a self-signed CA, which you will use to create |
7 |
> the web server public/private key pair and also sign each client's certificate |
8 |
> and upload it along with your CA certificate to the user's browser. This |
9 |
> explains the principle: |
10 |
> |
11 |
> http://wiki.cacert.org/HELP/9 |
12 |
> |
13 |
> |
14 |
> Ditto with the VPN connection - should you still want to use VPN. |
15 |
|
16 |
|
17 |
Let me see if I'm following. I could create a certificate and point |
18 |
the browser to it in config and configure my web server to require the |
19 |
certificate for HTTP basic authentication? Can I require a |
20 |
username/password along with the certificate? Can I require the |
21 |
certificate only for certain users? |
22 |
|
23 |
|
24 |
> If a user certificate is lost of feared compromised, you revoke it with your |
25 |
> CA and upload the CRL to the server. |
26 |
> |
27 |
> However, this won't do away with XSS, or other similar attack vectors if the |
28 |
> users are not careful with their browsing habits. |
29 |
|
30 |
|
31 |
Can you give me an example? |
32 |
|
33 |
|
34 |
> This won't resolve problems with lost laptops and the like either, so previous |
35 |
> suggestions for disk encryption, or chromebooks apply, if this is a |
36 |
> considerable risk with your users. |
37 |
|
38 |
|
39 |
No sensitive data on the client systems. They're actually auto-wiped daily. |
40 |
|
41 |
- Grant |