Hacker News new | past | comments | ask | show | jobs | submit login

They're as secure as your ability to keep the private keys private, just like with server certs.

As far as MITM and PFS goes; that's handled just the same as regular SSL. Using a client cert doesn't affect that at all.




Which is not secure at all. you can MITM a typical SSL connection in so many ways SSL might as well not exist.

No real cert validation, forged certs, proxy replays. SSL is a joke.


You can't MITM an SSL session with validly CA-signed certs unless you've pwnd the CA, web server or end user's machine. And I don't know what you're going on about with regarding "no real cert validation". If it's valid, it will be validated. There's nothing wrong with it when it's done right.


Most places where you can authenticate with SSL client certs allow you to add your own self-signed certificate and authenticate using that. All the validation you need is to check wether the cert is in the user's list. You can only forge that by stealing the private key.

There's really no reason to only allow CA signed client certs.


Proxy replays? How so?

As for cert validation / forged certs, they're only problematic because we want to authenticate a server we have never talked to before. With clients certs, the same doesn't apply: the server just needs to ensure the client is the same as the one who registered the account, so there's no need for the whole CA enchilada.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: