Security vs. Compatibility – Fight!

How do you secure a web page for private use? Easy if you ask me, use client certificates and a secure connection over TLS, preferably with a signed certificate.

So far so great, the website is pretty secure know as only someone with the right certificate can visit it. But what about compatibility with client programs? Well – fuck!

Turns out, most endpoint clients don’t really support additional authentication mechanisms. In a best case scenario, one login with a strong password should be sufficient to secure something. However, I like to add additional layers of security to prevent possible flaws in the web application from ruining my day.

Here are some additional layers we could use to increase security.

  • HTTP Proxy – Add additional authentication running the webapp behind a web proxy
  • Client Certificates – The secure connection to the server requires the client to provide a valid certificate before browsing the site
  • Basic Auth – Webservers often offer a basic authentication mechanism, requiring a valid login to connect to the requested site
  • VPN – Running the web application inside a private network, forcing users to be connected to the network either physically or virtually.

The first three share the same problem, not all client software supports these authentication mechanisms. If any is supported at all it would be the proxy, but even that’s not available everywhere. Plus, you’d need to set a rule in your browser to only use the proxy for that single domain, otherwise you’re browsing everywhere via proxy, which can have a pretty hefty impact on your browsing performance.

Client certificates and basic-auth are easy to setup and also pretty secure, providing that the underlying connection is not flawed. However, they enjoy even less support in client software except for common browsers, which can put you in the situation of having to choose between the client or the security layer.

“You could always use SSH and open a tunnel between the web application and the client!” – that’s a dirty hack! We’re not going to talk about that! It works, yes. But I don’t see it as a good, permanent solution.

It seems to me, that VPN is the clear winner here. It’s independent of client software and can be run in split-tunnel mode. This is pretty much all theory though, spun together in that head of mine. I would like to know If any of my potential readers have thoughts (or dare I even say opinions) on this, especially the use of VPN as alternative to the other solutions.

Tweet to @HashtagsSecurity or use the comment system below.