In order to leak the private cert you need to compromise the host. Leaking the password is easier - you can compromise the web application, the target server, the target company or the client’s machine. You have a few more attack vectors with passwords.
Passwords get leaked on things like pastebin. Passwords get emailed unencrypted and/or send over insecure channels, like public network + IRC and/or HTTP. Password needs to be remembered, so it will be easy and reused across multiple sites. Yes, there are password managers, but users who care enough to use them, aren’t usually the ones to use easy passwords anyway. Enforcing strong passwords does _not_ work - MyStrongPass201205*, MyStrongPass201206*, MyStrongPass201207* etc passes all security checks and this scheme can be used as long as you want, even when you are forced to change it every 30 days :-) And yes, people do that. Passwords need to be changed when someone leaves the company, frequently a troublesome process which is hard or even cannot be automated. There are always systems that can’t use any form of centralised authentication. Certs are revoked easily. Passwords tend to be shared and never changed after someone leaves. Kind of similar to the previous point. And last but no least - a few years ago, I enforced using client certificates instead of passwords - for systems that contractors accessed. I visited the contractor office and there was a whiteboard with EVERY client’s IP+user+password on it. Everyone, except the company I was working for :-) On 25 Sep 2014, at 14:29, Gervase Markham <g...@mozilla.org> wrote: > A question which occurred to me, and I thought I'd put before an > audience of the wise: > > * What advantages, if any, do client certs have over number-sequence > widgets such as e.g. the HSBC Secure Key, used with SSL? > > http://www.hsbc.co.uk/1/2/customer-support/online-banking-security/secure-key > > It seems like they have numerous disadvantages (some subjective): > > * Client certs can be invisibly stolen if a machine is compromised > * Client certs are harder to manage and reason about for an average > person > * Client certs generally expire and need replacing, with no warning > * Client certs are either single-machine, or need a probably-complex > copying process > > What are the advantages? > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
