Posts tagged ‘Authentication’

July 15, 2011

Try a VeriSign SSL Certificate gratis

Network and data security has really been on my mind lately!

I visited the Symantec and VeriSign websites the other day. I’m not sure if this is a true “limited time special offer” or an ongoing promotional deal that I never noticed until now. Two sorts of SSL (Secure Socket Layer encryption) certificates are available from VeriSign.

Secure Socket Layer protection

30-day SSL test-drive

One is the standard type that is desirable for websites that are accepting payment data or collecting other sensitive personal information from users. VeriSign refers to this as a Production Certificate. It includes use of the distinctive VeriSign Trust Seal, for use on SSL websites.

The other type is an SSL Test Certificate. Applications developers who want to confirm that SSL encryption is functional in a test (pre-production ONLY) environment should select this. It doesn’t include display of the Trust Seal, because it isn’t intended for use with applications on the public web. Both are available for free, for a 30-day trial period.

Try a VeriSign Certificate* today!

There may be superior alternatives to VeriSign SSL authentication. Regardless of vendor choice or implementation, it won’t hurt to contemplate data security, given the almost daily news reports of DDoS, DoS and other attacks. Or disclosure of yet another 0-day vulnerability or data breach.

* No, I’m not a paid endorser. I hoped someone might find it helpful and informative. Me, for example!

UPDATE: July 30, 2011

I just noticed that VeriSign has another offer; a 60-day free trial for a VeriSign Seal. See the VeriSign website for more information.

VeriSign offers both SSL and non-SSL products

What is the difference between the Trust Seal and the Secured Seal?

Like the VeriSign Secured Seal, the VeriSign Trust Seal shows that a site is authenticated by the high standards of VeriSign… The VeriSign Trust Seal is free with the purchase of any VeriSign® SSL Certificate. It can also be purchased separately for web sites that do not require SSL for securing online transactions. The VeriSign Trust Seal provides a cost-effective way to establish trust on your site without installing an SSL Certificate.

Emphasis is mine. However, VeriSign prominently displays this advisory on the Trust Seal FAQ page:

If your Web site uses SSL, you must use VeriSign SSL in order to display the VeriSign Trust Seal.

I’m uncertain, but suspect that the 30-day Trust Seal deal includes SSL certification, which is actually the VeriSign Secured Seal. The 60-day special probably does not. In other words, it offers the Trust Seal but not the SSL certificate, and is suitable only for non-SSL websites..

March 7, 2011

Authentication and Authorization

Access control has two components, referred to collectively as auth.

Third-party applications often require limited access to a user’s Google Account… all requests for access must be approved by the account holder.

via Authentication and Authorization for Google APIs.

Authentication services

Authentication refers to the process of allowing users to sign in to websites. In the context of this blog, it also refers to sign in to applications using a Google Account, or an OpenID 2.0 based protocol. When Google authenticates a user’s account, it returns a user ID to the web application. This allows user information to be stored and collected. Open ID also allows access to certain user account information, with the user’s approval.

Authorization services

OAuth Logo

OAuth

Authorization is often confused (by me, maybe others) with authentication. Authorization lets a user authorize access by applications to specific data associated with the user’s Google account.

OAuth 2.0 Protocol

The OAuth 2.0 open-standard protocol allows users to authorize access to their data, after successful authentication. Google supports the OAuth 2.0 protocol with bearer tokens for web (and installed) applications. Regular Google account data and Google Apps account data are accessible with OAuth 2.0. OAuth 2.0 relies on SSL for security instead of direct cryptographic signing that would otherwise be necessary for such access.

Note that OAuth 2.0 has not been finalized, according to IETF (version 13). Google cautions that it’s OAuth 2.0 support is in an early preview and may change at any time, or as the final specifications evolve. Google considers OAuth experimental.  However, “experimental” does not have the same tentative connotation associated with Google Labs projects.

OAuth 1.0 Protocol

There is also an OAuth 1.0 for web applications. OAuth 1.0 can be used for authorization to user data by all Google API’s. Google continues to support OAuth 1.0.*

* OAuth 1.0 is sometimes referred to in documentation without version number, only as OAuth.

Other protocols

The OpenID-OAuth hybrid protocol provides authentication and authorization in a single-step process. Open ID provides authentication services, and OAuth provides authorization to Google APIs.

AuthSub API is Google’s proprietary protocol. It is mostly used for Google APIs. AuthSub is similar to OAuth. OAuth is more generally applicable and Google recommends that developers use OAuth instead of AuthSub API.

Registration

Registering a web application is optional. It is also free and straightforward. Web applications that are not registered with Google can still use OAuth 1.0 or AuthSub interfaces. However, registered web applications are recognized by Google and receive a correspondingly higher level of trust designation. This is communicated to users on the login screen.

Example of access request screen for OAuth or AuthSub web app

Sample Google access request screen for unregistered web application

Summary

These are the three levels of registration:

  1. Unregistered These applications conduct transactions at a lower security level.  Google flags the user login page with a precautionary message.  See image above with yellow-shaded advisory.
  2. Registered and recognized but not configured for secure requests
  3. Registered with enhanced security These applications have a security certificate and can use secure tokens.
Follow

Get every new post delivered to your Inbox.