>> > I'm sorry, I meant can I lock down access to my web stuff so that a >> > particular user can only come from a particular device (or from any >> > device containing a key). >> > You can use apache client authentication with SSL certificates only. Of > course you will need to create a self-signed CA, which you will use to create > the web server public/private key pair and also sign each client's certificate > and upload it along with your CA certificate to the user's browser. This > explains the principle: > > http://wiki.cacert.org/HELP/9 > > > Ditto with the VPN connection - should you still want to use VPN.
Let me see if I'm following. I could create a certificate and point the browser to it in config and configure my web server to require the certificate for HTTP basic authentication? Can I require a username/password along with the certificate? Can I require the certificate only for certain users? > If a user certificate is lost of feared compromised, you revoke it with your > CA and upload the CRL to the server. > > However, this won't do away with XSS, or other similar attack vectors if the > users are not careful with their browsing habits. Can you give me an example? > This won't resolve problems with lost laptops and the like either, so previous > suggestions for disk encryption, or chromebooks apply, if this is a > considerable risk with your users. No sensitive data on the client systems. They're actually auto-wiped daily. - Grant
