It was thus said that the Great nervuri once stated: > > As far as I know, with TLSv1.2 client certs are sent in the clear, > revealing login information to the ISP (and whoever else is looking). In > this respect, when used with TLS 1.2, client certs are worse than cookies. I currently log client certificates (gasp!). Yes, it's true, but I added such logging last year when the protocol was still in the intial stages of development and I wanted a way to debug client certificate issues. I have an area that requires client certificates but it doesn't get a lot of traffic. But, just bacause I'm feeling ornery about this, here are the details of the few client certs that have crossed my server over the past month (the subject): /CN=elpherAyKLzp /CN=default /CN=My Cert /C=CH/ST=Some-State/O=Internet Widgits Pty Ltd /CN=testuser /C=US/ST=FL/L=Boca Raton/CN=Sean Conner/emailAddress=sean at conman.org and except for that last one (what a stupid git, giving out his name and email address like that!), the issuer was also the same as the subject. Yeah, way worse than cookies I'd say. > Also, 1.2 isn't compatible with encrypted SNI. So I hope it will be phased > out soon, if possible. Let me know your thoughts. Sigh. Given the current state of Gemini, *even if* the domain name were encrypted, there's still a near 80% chance of knowing which domain is being accessed, just because most servers only serve one domain. And there is
---
Previous in thread (7 of 37): 🗣️ Scot (gmi1 (a) scotdoyle.com)
Next in thread (9 of 37): 🗣️ nervuri (nervuri (a) disroot.org)