WebApp Sec mailing list archives
Re: Are client side certificates good enough against phising?
From: Andy Steingruebl <steingra () gmail com>
Date: Sun, 6 Feb 2011 22:04:57 -0800
On Fri, Feb 4, 2011 at 12:25 PM, Marcel Constantopulos <marcelconstantopulos () gmail com> wrote:
Hi, This is my first post on the list, and I'm very happy that I've found you. I was wondering if the client side certificates are good enough against phishing.
In general, yes. Client-certificates can authenticate to a MITM site, or to a phishing site assuming it chooses to ask for them, but during a normal authentication the client-side data isn't exposed to the server, and the data transmitted during an authentication cannot be replayed to the "real" site. So, the primary authenticator cannot be stolen easily, but that doesn't stop an attacker from setting up a site, and asking for other user data anyway, perhaps enough to perform an account takeover anyway. - Andy This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- Are client side certificates good enough against phising? Marcel Constantopulos (Feb 06)
- Re: Are client side certificates good enough against phising? Marc-André Laverdière (Feb 06)
- Re: Are client side certificates good enough against phising? Andy Steingruebl (Feb 06)
- <Possible follow-ups>
- Re: Are client side certificates good enough against phising? Oguzhan Topgul (Feb 07)