LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cryptographic splicing makes for a Wordpress vulnerability

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 8:19 UTC (Fri) by jschrod (subscriber, #1646)
In reply to: Cryptographic splicing makes for a Wordpress vulnerability by ewan
Parent article: Cryptographic splicing makes for a Wordpress vulnerability 

It's a hassle if you have several identities against different web applications, i.e.,
multiple certificates. Automatic certificate selection doesn't work then, as no realm concept
as in baseauth exists. You can read about a bunch of problems at
http://wiki.mozilla.org/PSM:CertPrompt

There is also the `logout' problem, just as in base auth; i.e., if you want to use different
SSL certs against the same web app. This is especially neeeded during development, to simulate
different users with differen roles. Currently, one needs several browser instances with
different profiles for that (each of them eating up 100s of MBs.)

In addition, manual cert selection is a drag, if you have a Web server that authenticates only
part of its Web site. When you first access some other part of the Web server, the SSL
connection is established. When you then link to the protected area, the SSL connection must
be renogetiated, and that doesn't properly work in many older browsers.

Oh yes, and moving a whole site to https might not be advisable either, for performance
reasons.

I don't even want to start about the problems to set up a revocation process properly. After
all, you want to be able to re-issue a cert to a client when it got stolen or so. Since you
will have the same X.509 fields, more or less, revocation lists is the only way to go. Have a
lot of fun with them.

IMNSHO, client certs are also not a good solution to the client authentication problem. Been
there, done that, lots of problems. :-)

(Log in to post comments)

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 16, 2008 12:30 UTC (Fri) by robbe (subscriber, #16131) [Link] 

> Automatic certificate selection doesn't work then, as no realm concept
as in baseauth exists.

That's not true. If a server requests a client certificate, it has to 
send a list of "acceptable" CAs. The client is supposed to use a cert 
that is signed by one of those. If you plan your environment carefully 
automatic selection can work (except for IE which apparently is too dumb 
to heed the acceptable CA list and always shows all certificates to to 
the user).

I agree with most of your other points. Setting up proper 
authentification via client certificates is a complicated mess.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds