Client Certificate UI for Chrome?
Steven Bellovin
smb at cs.columbia.edu
Wed Sep 2 15:13:59 EDT 2009
On Aug 26, 2009, at 6:26 AM, Ben Laurie wrote:
> On Mon, Aug 10, 2009 at 6:35 PM, Peter Gutmann<pgut001 at cs.auckland.ac.nz
> > wrote:
>> More generally, I can't see that implementing client-side certs
>> gives you much
>> of anything in return for the massive amount of effort required
>> because the
>> problem is a lack of server auth, not of client auth. If I'm a
>> phisher then I
>> set up my bogus web site, get the user's certificate-based client
>> auth
>> message, throw it away, and report successful auth to the client.
>> The browser
>> then displays some sort of indicator that the high-security
>> certificate auth
>> was successful, and the user can feel more confident than usual in
>> entering
>> their credit card details. All you're doing is building even more
>> substrate
>> for phishing attacks.
>>
>> Without simultaneous mutual auth, which -SRP/-PSK provide but PKI
>> doesn't,
>> you're not getting any improvement, and potentially just making
>> things worse
>> by giving users a false sense of security.
>
> I certainly agree that if the problem you are trying to solve is
> server authentication, then client certs don't get you very far. I
> find it hard to feel very surprised by this conclusion.
>
> If the problem you are trying to solve is client authentication then
> client certs have some obvious value.
>
> That said, I do tend to agree that mutual auth is also a good avenue
> to pursue, and the UI you describe fits right in with Chrome's UI in
> other areas. Perhaps I'll give it a try.
This returns us to the previously-unsolved UI problem: how -- with
today's users, and with something more or less like today's browsers
since that's what today's users know -- can a spoof-proof password
prompt be presented?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list