Client Certificate UI for Chrome?
Ben Laurie
benl at google.com
Wed Aug 26 06:26:59 EDT 2009
On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmann<pgut001 at cs.auckland.ac.nz> wrote:
> More generally, I can't see that implementing client-side certs gives you much
> of anything in return for the massive amount of effort required because the
> problem is a lack of server auth, not of client auth. If I'm a phisher then I
> set up my bogus web site, get the user's certificate-based client auth
> message, throw it away, and report successful auth to the client. The browser
> then displays some sort of indicator that the high-security certificate auth
> was successful, and the user can feel more confident than usual in entering
> their credit card details. All you're doing is building even more substrate
> for phishing attacks.
>
> Without simultaneous mutual auth, which -SRP/-PSK provide but PKI doesn't,
> you're not getting any improvement, and potentially just making things worse
> by giving users a false sense of security.
I certainly agree that if the problem you are trying to solve is
server authentication, then client certs don't get you very far. I
find it hard to feel very surprised by this conclusion.
If the problem you are trying to solve is client authentication then
client certs have some obvious value.
That said, I do tend to agree that mutual auth is also a good avenue
to pursue, and the UI you describe fits right in with Chrome's UI in
other areas. Perhaps I'll give it a try.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list