Client-side SSL
-
Are we getting the most from SSL/TLS ?
I was thinking about the use of certificates for authentication in reverse. It occurs to me that the SQRL system being developed by Steve Gibson reverses the traditional logon by getting the user to have their own unique personal token.
In essence this is what SSL does, so I thought "Why is it only used the way it is?" eg. used to make sure the site you are using is safe, or to send authenticated or encrypted email.
I thought; "Why can't I alternatively use the Commodo SSL certificate I now own for my Vivaldi mail, to log into Vivaldi ?" So I went and had a look, and it seems I am not alone in thinking this.
Christian Weiske has created a guide to using client-side certificates in PHP http://cweiske.de/tagebuch/ssl-client-certificates.htm
I see this as an alternative login like SQRL, that some users may prefer. All the client needs to do is send a signed email to register that certificate to the account.
They could then maybe choose to rely on completely automatic login, or enable 2-phase login with a simple 4 digit PIN.
The registered password on the site can then be treated as backup, and be a secure long random alpha-numeric password. It would simplify users experience, but I have to ask "would it make life hell for the Vivaldi devs ?"
Most importantly "Do any users want something like this?" SSL certificates are available for free, so cost is no issue.
OK. Want to know the truth ? I'm getting annoyed at the fact Vivaldi does not remember me. Must be the cookie-monster in my PC. -
"SSL certificates are available for free"
That's news to me. For limited time trial use, as Commodo's (90 days).
I do not think it feasible to have have to go and renew your cert very 90 days (If the CA will allow that. They are in Bussiness to make money after all.) -
SSL certificates for email are free for personal use.
The 90 day trial must be for business or site certificates.
http://www.comodo.com/home/email-security/free-email-certificate.php
They are also available from StartSSL if you want another option.
http://www.startssl.com/?app=1 -
Thanx for updating me on this topic. I will indeed be looking further into this.
I can only remember back to the late 90s when I attempted to get my company to incorporate digital signatures in important electronic documents in our document management system. The higher-ups were not impressed with the costs involved, regardless of the protection it could give the verify the document's signature. -
Unfortunately the free certificates have not been crusaded enough by those that have found them.
I did some tests with some of the bods in the SGC news groups, so we know that Linux and Mac users also have no problems installing them.
A note for people that have never used certificates
The important thing to remember when requesting a certificate, is that the request is tied to the browser that you used.
eg. You cannot order it from work, then collect it at home.
Once you have actually installed it, it is installed the OS so you can export it for use elsewhere.Well Greybeard, have you checked it out yet ?
It would be good to comment on how easy you find the process, so other users may feel they can also easily secure their emails.I was hoping for a bit of banter on the original topic, as I feel this fits with Jon's secure outlook for the Vivaldi community.
So please, anyone with any ideas on the feasibility of something like this, feel free to share. -
@Dr Flay, not as yet. It is on my list of items to look into.
Lots of melt here in past few days, some wiring and plumbing to fix as well as having three computers lined for rebuilds. Trying to fit time for personal interests…
-
Norwegian authorities are now warning against what could be the biggest security disaster in internet history.
Advise: Change all your passwords - at a once.
There has been established a website - Heartbleed.com - with comprehensive information about Heart Bleed hole, how it affects and how both private and professional can protect themselves. -
@booBot:
Should we expect an update for Opera v12 regarding the HeartBleed OpenSSL issue?
Opera 12 doesn't support SSL heartbeat and is not affected.
-
Oh, there will be an update for the O)pera 12 updater because there is a theoretical chance that that can be abused…
see:
http://blogs.opera.com/security/2014/04/heartbleed-heartaches/ -
Oh, there will be an update for the O)pera 12 updater because there is a theoretical chance that that can be abused…
see:
http://blogs.opera.com/security/2014/04/heartbleed-heartaches/Thanks for the link QuHno
-
A new, non-profit CA has recently been announced by EFF.
The CA, Let’s Encrypt, is a combined effort between the EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan and is scheduled to be operational by mid 2015. The project is aimed at reducing or eliminating "the complexity, bureaucracy, and cost of the certificates that HTTPS require".Not sure as of now whether or not the CA will offer client side SSL.
For those with an interest, there is a developer preview:
https://github.com/letsencrypt/lets-encrypt-preview
and a video: https://www.youtube.com/watch?v=Gas_sSB-5SU
The original EFF article can be read here:
https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
-
This post is deleted! -
impressive necro-bump.
Seems like a handy service, but this thread was about "client-side" certificate use.
eg. using certificates to authenticate yourself or to log into sites instead of passwords. -
Ppafflick moved this topic from Websites on
