Data confidentiality and user authentication are often important design requirements when implementing web applications, particularly within a corporate Intranet.  If a PKI is in place within an organization, these two goals can be achieved by enabling the web server to use SSL with client certificate authentication.  The SSL encryption layer protects data in transit, while the client certificate authentication component requires users to present proof of identity before allowing access.

In order to require client certificate authentication, first the web server must obtain an SSL server certificate.  This certificate may be obtained from any trusted certification authority, including an internal issuer or a public issuer such as VeriSign.  First, you must create the Certificate Request using the following steps:

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.  (Note: in various versions of Windows, this shortcut may contain a slightly different path in the start menu)
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Server Certificate… button to open the Web Server Certificate Wizard
• The Welcome to the Web Server Certificate Wizard screen will appear.   Click Next
• The Server Certificate screen will appear.  Select the Create a new certificate option and click Next
• Click Next again. The Delayed or Immediate Request screen will appear.  Select the Prepare the request now, but send it later option.
• The next few pages will ask for some information about the certificate, such as a nickname, key size, and the name of your organization.   Fill this information out in the wizard.
• When prompted for the Common Name of the certificate, ensure that you enter the fully qualified domain name of the site.   If your certificate is for https://www.myapplication.com/, then you must enter www.myapplication.com as the common name.  Otherwise, visitors to your site will be shown errors in the browser because the site’s address does not match the common name in the certificate.
• Once all of the certificate request information is obtained, you will be prompted to save the request to a specific location.  This request file does not contain the private key information for the certificate – that is stored securely in CAPI.

The next step in enabling SSL is submitting the certificate signing request (CSR) to a Certification Authority (CA) so you can obtain a web server certificate.  As stated previously, you may obtain a server certificate from your organization, or you may obtain a certificate from a public CA such as VeriSign.  For publicly accessible, internet-facing sites, obtaining a certificate from a public certification authority is preferable, as this will require no additional configuration for your visitors to trust the SSL certificate.

Once the certification authority issues the certificate, it must be installed in IIS.  This is done through using the following steps:

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.  (Note: in various versions of Windows, this shortcut may contain a slightly different path in the Start menu.)
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Server Certificate… button to open the Web Server Certificate Wizard
• The Welcome to the Web Server Certificate Wizard screen will appear.   Click Next
• The Server Certificate screen will appear. Select the Process the pending request and install the certificate option and click Next
• Select the file location where you have saved the certificate, and click through the rest of the wizard to complete the certificate installation

Now that the certificate is installed, there is one final step required to enable SSL: IIS must be configured to require secure connections.

• Start the Internet Services Manager by selecting Start -> Administrative Tools -> Internet Services Manager.
• Right-click the web site node in the IIS manager, and open the Properties dialog.  Select the Directory Security tab
• Click the Edit button in the Secure Communications section of the property page
• Check the Require Secure Channel and Require 128 bit Encryption check boxes, and click OK.
  

Your web site is now set up to require secure SSL communication.  When testing, don’t forget to use the https prefix instead of http!

In the next part of this series, we will discuss setting up mutual authentication for client connections and obtaining information from client certificates in ASP.NET.

The new “bad” is clickjacking where an attacker underlays a malicious web page under a legitimate one, and when you think you’re clicking on one thing, you’re actually clicking on another. We actually use this technique to make it easy to use our phpasndump tool (the Browse button is over top of the entry field so that when you click on it, you’re really clicking on the entry field).

There are multiple vectors of attack, including iframes, javascript, and flash. However, they all do the same thing. The article linked above talks about all of the different types and whether there is a patch available. However, the best defense is one that security people have been harping on for a very long time – disable javascript, disable java, and disable plugins (flash, silverlight, etc). That still leaves one vector open: iframes. Firefox’s NoScript extension can disable those for you (as well as selectively run javascript). This can cause problems for “normal” browsing however, as most of the web is highly dependent on javascript and flash. You’ll have to play with the settings and determine your best mix of usable vs “safe”.

You may have been reading about the latest advancements in quantum cryptography over the past week. Claims that the technology is unbreakable are unfounded however, if not in least for these theoretical reasons.

• Quantum Cryptography Will Be Broken With Quantum Technology - Current computing technology uses methodical means to encrypt and decrypt data. Quantum physics doesn’t work sequentially or even follow the laws of classical physics.
  • The first quantum hack will be done with quantum technology.
• The Human Factor - I always like to think about the “gun to head” method of cracking security. Put a gun to the right person’s head and they’ll tell you whatever you want. Quantum cryptography can be cracked by blackmailing, intimidating, and threatening the right people.
  • Not to mention that people lie, cheat, and steal for money or other personal gains. No technology in the world is immune from people.
• Maybe God Isn’t Playing Dice - Einstein never believed that quantum physics was random famously saying, “God doesn’t play dice with the universe”. I agree with him, consider it’s just that we don’t completely understand what’s happening to entangled particles – making them seem “magic”.
  • The entire physical universe works according to a set of very well defined laws and rules. Why quantum physics should be an exception is unlikely.
  • If that is the case, quantum cryptography could be unraveled by a brilliant physicist one day.

All of the above is purely theoretical, but you should always be wary of “completely secure”, “unbreakable”, and “perfect security” – because it doesn’t exist. There are other theoretical ways to possibly disrupt or eavesdrop on a quantum message – but again they’re purely theoretical.

Well, so is practical quantum cryptography.

This week, reports have surfaced that spammer activity is increasing on Microsoft and Google sites that employ CAPTCHA. CAPTCHA is a method for distinguishing between human users and programs used to automatically enter information. Those who would like to create large amounts of e-mail accounts or efficiently add SPAM content to blog comments or message boards are constantly scheming new methods for circumventing CAPTCHAs. Meanwhile, web site administrators continue to invent creative techniques for detecting computers masquerading as human.

As the battle continues, though, it’s humans who are having more trouble reading CAPTCHAs. Speaking for myself, I find that many CAPTCHA challenges are not very easy to decipher. If it is case-sensitive, for example, there are many capital letters that can be mistaken for lower-case if distorted the right way, and there is no feedback that allows me to correct myself if I can’t read it.

Now, I’m not saying that I have ever been completely fooled by a CAPTCHA to the point that I wasn’t able to create an account or post a comment. Humans will eventually get through, but if users find them difficult, and they no longer effectively prevent spamming, maybe more thought needs to be applied to the problem. Here are some suggestions I have found for methods to weed out spamming programs. Read the rest of this entry »

The TamperData Firefox Extension is a tool for tracking and modifying HTTP/HTTPS requests made by your browser.  You can use it to view and modify HTTP/HTTPS headers and POST parameters, which can be used to test the security and operation of websites.  Installation is easy.  Go to this link in Firefox, and click the Add to Firefox button.

TamperData lets you intercept requests before they are sent to web servers, so that you can modify cookies, referrers, or user-agent parameters as necessary before sending it on. You can even modify the Web server response before it is seen by the browser.  It is a great tool for testing and experimenting with web application security.  Click on the sample screenshot on the right to see an example of use.

Each Thursday, Security Musings features a security-related technology or tool.  Featured items do not imply a recommendation by Gemini Security Solutions.  For more information about how Gemini Security Solutions can help you solve your security issues, contact us!