[Cryptography] client certificates ... as opposed to password hashing

Bear bear at sonic.net
Tue May 27 13:17:26 EDT 2014

On Tue, 2014-05-27 at 10:53 +0200, Guido Witmond wrote:

> I have build a prototype that shows that it can be done. Instead of a
> browser plug-in, I use a client side proxy. The browser connects with
> http to the proxy, the proxy does all the certificate handling with the
> sites. It can be built into a browser plug-in quite easily.

This is worth a note:  

Good security design is compartmental.  We should be 
writing software that has strictly defined information
inputs and outputs, and does specific, narrow things 
with them.  Ideally, most of the "sensitive" pieces 
should start, run, and exit without ever putting up 
any UI. 

A client-side proxy is a much better idea in the first 
place than a plugin, because a client-side proxy has 
much more narrowly defined information input and output 
and a much more well-defined job to do.  Its design need
not be warped by conforming to conventions or standards 
driven by non-security considerations. 

More information about the cryptography mailing list