Re: Are client side certificates good enough against phising?

[Andy Steingruebl <steingra () gmail com>]

On Fri, Feb 4, 2011 at 12:25 PM, Marcel Constantopulos
<marcelconstantopulos () gmail com> wrote:
> Hi,
>
> This is my first post on the list, and I'm very happy that I've found you.
> I was wondering if the client side certificates are good enough
> against phishing.

In general, yes.  Client-certificates can authenticate to a MITM site,
or to a phishing site assuming it chooses to ask for them, but during
a normal authentication the client-side data isn't exposed to the
server, and the data transmitted during an authentication cannot be
replayed to the "real" site.

So, the primary authenticator cannot be stolen easily, but that
doesn't stop an attacker from setting up a site, and asking for other
user data anyway, perhaps enough to perform an account takeover
anyway.


- Andy



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------