[Cryptography] Toxic Combination

cryptography-ml at mkern.fastmail.fm cryptography-ml at mkern.fastmail.fm
Thu Dec 4 18:46:18 EST 2014

On Thu, Dec 4, 2014, at 18:28, Tony Arcieri wrote:
> On Wed, Dec 3, 2014 at 1:33 PM, Guido Witmond <guido at witmond.nl> wrote:
>>  - sign client certificates;
> This can be done today using the HTML <keygen> tag to generate a client certificate. A CSR is sent to the server, which can sign it under its own client CA, and send the signed certificate back to your browser for installation.
> Unfortunately, there's one problem: the user experience! All of the technical problems are solved, but it's still a terribly confusing process for users.
> Everything you've described can be built and deployed today without any changes to (most) browsers. But the user experience is so bad and confusing that nobody will use it:
> - Different browsers have different trust stores
> - Users have to pick which certificate to use to authenticate
> - Users have to copy certificates from browser-to-browser or computer-to-computer
> - Users need to back up certificates so they don't lose them
> - Users need some way to recover their account if they do lose the certificates

Aside from the user experience, client SSL certificates are also bad for
the user from a privacy point of view. They uniquely identify the user
to a passive network adversary which leaks a lot of information about
the user's location and habits. Authenticating the user at the
application layer once a secure connection has been established avoids
this problem.

An example of an application suffering from this issue is tresorit [1],
[2]. They offer a Dropbox like service with client side encryption. A
client SSL certificate is created for the user during sign up which
contains the user's full name and email address. This certificate is
used to connect to the server and keep files in sync whenever the user's
machine is turned on or they use the mobile app. A global passive
adversary can use this to trivially identify the user and link all their
other traffic to them.

[1] https://tresorit.com
[2] https://tresorit.com/files/tresoritwhitepaper.pdf

More information about the cryptography mailing list