 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss- > bounces+blu=nedharvey.com at blu.org] On Behalf Of Kent Borg > > On 07/28/2013 11:49 PM, Tom Metro wrote: > > Elsewhere today there was a thread mentioning StarSSL. They take an > > interesting approach to site security. They don't use passwords. As part > > of the process of getting your SSL certificate, they generate a > > client-side SSL certificate that you install in your browser. > > Now I have to trust that my browser will keep that file securely. Steal > that file and you are in. It doesn't solve the problem, but shifts it > to a little used feature browser that is likely little audited for > security and might be full of holes. "have to" is being stated too strongly. The process I follow is like this: Generate and install the user cert with the browser. Immediately export to a file and remove from browser. Install into the OS (by double clicking the file) and un-check the "private key exportable" checkbox. Now, whenever any app wants to use that cert, it must request permission from the OS, which prompts me to allow/disallow. So it can't happen without my knowledge and consent. Meanwhile, I'm able to authenticate to the website and everything is smooth and seamless. PS. I also challenge the assumption that the browser developers rarely audit their cert and identity management code. The folks working for firefox and chrome are not completely brain dead.
