Re: [EXTERNAL] RE: enforcing mutual auth from the client
On Fri, 2022-09-02 at 00:22 +, Wall, Stephen wrote: > > A compromised server could easily still request the client > > certificate, no? > > But as noted, even a compromised server can ask for client > > credentials and then > > Yes, that's true. If the intruder knew to do so. Also, a thief can > break your window and get into your car, so you might as well leave > them rolled down all the time. > > The question wasn't "Should I care that..." or "Is it a good idea > to...". It was "Can OpenSSL 3 do this". > > You really should be asking "Should I care that..." though. Security by policy is even weaker than security by obscurity. Don't let detection of this little "gotcha" lull you into a false sense of security, or even heightened security.
RE: [EXTERNAL] RE: enforcing mutual auth from the client
> > It is not clear what threat model warrants taking special action when > > the client certificate is not requested. It could equally be > > requested and then largely ignored. > > A client in a highly secured network knows that every server it connects to > will > require a client certificate. If the request fails to arrive, it's either a > misconfiguration or a compromised server. In either case, the client prefers > to > fail and make the user aware of a problem rather than risk compromising > sensitive data with the user unaware that there was unexpected behavior. But as noted, even a compromised server can ask for client credentials and then ignore them. So in your threat model, the client might think it is talking to a legit server just because it asks for a certificate like it's "supposed to". But will happily be exchanging sensitive data with this compromised server.