• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS Client authentication vs. HTTP basic/form-based

 
Hitry Mitry
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello again,

The security requirement in the use case description states that all communication with the customer must be over SSL. When a HTTPS connection is established, a HTTPS authentication mechanism is launched. To be honest, I don't know much about HTTPS authentication, but if so, that means that the Customer will always be forced to authenticate straight from the start? That is, if we choose to use HTTPS for all communications, we can't take advantage if the Web container's lazy authentication policy, because HTTPS authentication would kick in as soon as we try to set up an HTTPS connection?

Thank you.
 
Jeremy Hsu
Ranch Hand
Posts: 79
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you miss understood the authentication and the SSL.

The SSL thing is just for encrypting the tcp/ip data sent.

Give you an example, if you do not establish SSL, say a the website asks you for id and password. Those things are sent to the server with no encryption. Therefore, anyone who packet sniffing can get hold of that. That is why when you do online credit card submission, you need to make sure if 128 bit key strength SSL is there.
 
Vinay Singh
Ranch Hand
Posts: 174
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It essentially means that we need not put any thing extra in design, just state in assumption that the data would be transmitted over https.
[ August 26, 2005: Message edited by: Vinays Singh ]
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic