On Sun, 10 Oct 1999, Spidaman The Defenestrator wrote:
>
[...snip...]
>
> But I digress. Go ahead, use cookies and mangle them into auth headers
> but make sure they aren't persistent cookies. And don't use this level of
> security for banking or commerce; those get mangled URL paths. In a self
> contained intranet world, using client certificates and mod_ssl sounds
> like a good proposition.
[1] Client Certs
Under certain circumstances, SSL and client certs for authentication for
an Intranet is not necessarily that great.
[A] Users do roam (a pain to support cert loading)
[B] In a global organization, proxy infrastructure plays a part... SSL is
impossible to proxy, and when it is, you can't proxy client certs.
[C] SSL adds unnecessary overhead to the web server especially a heavily
used Intranet one potentially.
Client Certs are not necessarily more secure that username/passwords
and/or securID over a normal SSL connection. It depends on the environment
that the client cert is kept under control.
[2] Mangled URL Paths
Isn't it possible to browse the history on the harddrive... so is this
really more secure than non-persistent cookies?
