[Cryptography] client certificates ... as opposed to password hashing
Bear
bear at sonic.net
Tue May 27 13:17:26 EDT 2014
On Tue, 2014-05-27 at 10:53 +0200, Guido Witmond wrote:
> I have build a prototype that shows that it can be done. Instead of a
> browser plug-in, I use a client side proxy. The browser connects with
> http to the proxy, the proxy does all the certificate handling with the
> sites. It can be built into a browser plug-in quite easily.
This is worth a note:
Good security design is compartmental. We should be
writing software that has strictly defined information
inputs and outputs, and does specific, narrow things
with them. Ideally, most of the "sensitive" pieces
should start, run, and exit without ever putting up
any UI.
A client-side proxy is a much better idea in the first
place than a plugin, because a client-side proxy has
much more narrowly defined information input and output
and a much more well-defined job to do. Its design need
not be warped by conforming to conventions or standards
driven by non-security considerations.
More information about the cryptography
mailing list