> From: [email protected] [mailto:discuss- > [email protected]] On Behalf Of Kent Borg > > On 07/28/2013 11:49 PM, Tom Metro wrote: > > Elsewhere today there was a thread mentioning StarSSL. They take an > > interesting approach to site security. They don't use passwords. As part > > of the process of getting your SSL certificate, they generate a > > client-side SSL certificate that you install in your browser. > > Now I have to trust that my browser will keep that file securely. Steal > that file and you are in. It doesn't solve the problem, but shifts it > to a little used feature browser that is likely little audited for > security and might be full of holes.
"have to" is being stated too strongly. The process I follow is like this: Generate and install the user cert with the browser. Immediately export to a file and remove from browser. Install into the OS (by double clicking the file) and un-check the "private key exportable" checkbox. Now, whenever any app wants to use that cert, it must request permission from the OS, which prompts me to allow/disallow. So it can't happen without my knowledge and consent. Meanwhile, I'm able to authenticate to the website and everything is smooth and seamless. PS. I also challenge the assumption that the browser developers rarely audit their cert and identity management code. The folks working for firefox and chrome are not completely brain dead. _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
