Forum Moderators: phranque
Everything seem to run okay, but I would like to know if there are things I should be aware of, gotchas etc regarding the security of this scheme.
My objective is to restrict access to selected PCs, with additional password authentication and IP check at the server.
As this particular web site will not be available to the general public, I think that self-signed certificates should be good enough.
To avoid warnings, I just install the CA cert on the browsers accessing the server, plus the client side certs. The client side certs will be issued with a 'lifetime' of 2-4 weeks maximum, and in addition there will be password authentication.
Is this good enough? I am concerned that someone will steal/export the certs from the browser, install it elsewhere (e.g. a net cafe), and happily circumvent my 'security scheme'.
Comments appreciated!
I think I got the terms wrong. WHen I write 'client side' certificates, I mean *client certificates* (which reside client side of course)
That could be defeated, as well, but it would take your client being on the phone with the duplicate user when they log in.
I've also been considering VPN, SSH. But these rely on certs as well for secure setups. And as everything is web based, SSL seem to be the right choice.
