Hacker News new | past | comments | ask | show | jobs | submit login

SSL Client certificates can be easily and completely stolen by worms and botnets. So they can't be used by serious applications like online banking.

For everything else, there are much simpler solutions.




That problem is not specific to SSL client certs. It potentially affects every authentication mechanism (on the same computer). Typing in your passwords? Keylogger. Using a password manager? Stolen passwords. The password database is encrypted and you have to type in a password to decrypt it? Keylogger.

If your system is rooted / infected with malware, you lost. The only solution is to format the drive and start over.

The alternative is to use a 2 factor authentication mechanism that uses a separate device, like your phone receiving a text message. That's a pain for the average user, and certainly not "simpler".


People are very familiar with text messages. Its very easy to explain.


Worms and botnets can steal passwords just as easily, and session cookies almost as easily. What do you consider appropriate for online banking?


The certificate is public anyway, you'd need the private key as well in order to authenticate.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: