SSL Certificate Authentication

Question

We have a HTTP endpoint where a form request is posted containing transaction data from a 3rd party https website.

We are investigating ways that our HTTP endpoint can contain code to check that the host that posted the request is the 3rd party website and no-one else (i.e. a hacker).

Is there any way our HTTP endpoint can authenticate with the website where the posted form request originated? Maybe by SSL Certificate Authentication?

Many thanks in advance.

Answer 1

It might be better to use message-level security instead of transport-level security (SSL/TLS).

The third party website would sign the message using its certificate (or to be precise, using the private key matching its certificate), and your website would verify this signature.

This could allow for that message to be relayed by the user's browser, without needing a direct connection between the two servers.

This sort of mechanism already exists in the Identity Management world, for example with SAML and Shibboleth. (You can still have direct connections between the servers to get additional information too.)

Answer 2

To guarantee that the server on the other side is who they say they are the safest way is to have them use an SSL Certificate. If the they also need to trust who you are then each side should have their own SSL Certificate.

The IP Range solution provided in the comment could be a possible hack but it's quite brittle and it couldn't be applied in a very serious environment.

The Shared Key solution will work and it's reliable but you have to change keys from time to time depending on the volume of traffic between the two servers.

Hope this helps.