When asked to look into having authentication for my company’s website, I ended up using htaccess and htpasswd. Now I’m being asked to look for a more secure solution. One scenario I was advised to look out for was sniffing. I looked around and found HTTPS seems to be the solution I’m looking for.
If the authentication is only going to be accessed by our employees and will allow them access to a database. The activity on this database should be very light. I’m under the impression no more than say… 5 queries per session, and the data retrieved would be lightweight too.
From what I’ve read, seems like HTTPS is what I should be betting on here. My knowledge in authentication and encryption is next to nil, so I’m wondering if there are any other options to go about secure authentication for our site.
HTTPS primarily provides:
The latter is an important measure against man-in-the-middle and impersonation attacks. Think of somebody pretending to be the server and fooling the client in submitting sensitive data like passwords.
Note that – in order to work – the server must have an SSL certificate signed by a CA recognized by the client browser. That can either be an SSL certificate obtained by a commerical CA like Verisign or a custom SSL certificate all your users must import into the certificate storage.
Bottom line, HTTPS protects you from spoofing attacks, but only if the certificates are set up correctly. Still, be sure to disable plain HTTP, otherwise an attacker may try a downgrade attack.
With HTTPS in place, you can use any of several method to authenticate the client to the server, including whatever you are using now (I guess HTTP Basic or Digest). Other options include Kerberos, the old NTLM, RADIUS, or client-side SSL certificates.