Hands-on 7: Web Certificates

The goal of this hands-on is to give an introduction to web certificates and how they achieve their goal of authentication. MIT uses certificates to authenticate you to systems such as WebSIS. We are going to try to understand both the concepts and practice of how this works. Helpful URLs include http://web.mit.edu/is/help/cert/ and http://www.rsasecurity.com/rsalabs/faq/.

1. Obtain an MIT Certificate

   If you have not already done so, please obtain an MIT Certificate from https://ca.mit.edu/. You will need to use Netscape (or IE 5.5 or higher) for this to work; The Netscape available on Athena will work.

2. Secure access instructions

   Read the following page: Limited and secure access to web content over https.

3. Web page setup

   For this part, you will need to round up two friends who have Athena accounts. Set up a web page in your Athena directory that is accessible to one of the friends and to the teaching assistant for your section. Verify the following two conditions:

   a) Your first friend and your TA can reach the page with a web browser, using their MIT-issued personal certificate. (When accessing the page from a web browser, make sure to use the page's network URL -- e.g., https://web.mit.edu/$USER/www/assignment7.html -- to ensure that the certificate mechanism is exercised.)

   b) Your second friend fails to reach the page from a web browser even though they present their MIT-issued personal certificate.

   So that your teaching assistant can also try it out, leave the restricted web page set up until you get your paper back.

   In the answer to this question, list the URL of the page you created and include the .htaccess.mit file you used to create the permissions.

4. Trust considerations

   When you connect to a secure site, your browser will typically inform you of this. You can verify this by looking at the Document Info for the page in question (by pressing the Security button). How do you know that you have actually connected to the correct site and not to an imposter? Consider what a certificate actually certifies, what components comprise it, etc.

   Make a list of everything that you must trust in order to be confident that your web page really is accessible to no one else.

Please turn in the answers to these questions in Thursday's recitation. Also include how long it took for you to do this assignment.