How to Secure an SSL VPN with One-Time Passcodes and Mutual Authentication
Jul 03, 2007, 09:00 (0 Talkback[s])
[ Thanks to Falko
Timme for this link. ]
"SSL-based VPNs were designed to eliminate the need for complex
configurations on the user's PC. Unfortunately, that was before the
dangers of public WiFi networks and tougher regulatory requirements
came into being. Thanks to WiFi, many attacks that were difficult
are now quite simple. In particular, a man-in-the-middle attack can
intercept SSL-encrypted traffic, rendering SSL-based VPNs useless -
even if it's protected by a typical one-time password system. The
man-in-the-middle can easily feed the one-time password into the
SSL-based VPN within the alloted time.
"In order to thwart this attack, mutual authentication is
required. Mutual authentication means that the user is validated to
the site and the site is validated to the user..."