|
Posted by Gordon Burditt on 11/21/05 22:59
>Researching methodolgies where I open up an web site to different companies
Companies do not operate browsers, users do.
>without having to manage the user ID and password for every person in every
>company.
>
>Thoughts include:
>1--create a different certificate (like SSL or Apache generated cert) for
>each new company then log them in based on that. Refuse all users except
>those that have a cert.
This causes a massive effort to distribute the cert within each
company to each user. I hope you've got instructions for a large
number of browers on how to install and use a user cert. Most of
them have not done this before.
>2--somehow integrate with company network login system
This means that a dictionary attack against your site can get
them into the company network also. Also, you'd have access
to lots of working company passwords. This will likely not be
looked on favorably by the company. But perhaps they already
have a RADIUS server that they'd let you use.
>3--check users' referrer domain to verify company - easily spoofed?
A user typing in the address of your site manually will not *HAVE*
a referrer. There is a large difference between "a user who is an
employee of a specific company" and "a user who visits the web site
of a specific company and clicks on a link to your site". Referrer
is easily spoofed, and *WORSE* it locks out people who legitimately
should be able to access the site, because of (a) security filters
that delete referrer, which the user may not know how to turn off,
or (b) manually navigate to the site.
>Other ideas?
Is it feasable to determine company by IP netblock (which the company
would have to give you)? This may lock out work-from-home users.
Gordon L. Burditt
[Back to original message]
|