I always found it wierd that client certs were sent in the clear in TLS 1.2, but according to what I seen on Stack Overflow, the fact that TLS 1.2 does this isn't actually so bad because clients still have to prove they own the cert by signing some data unique to the session. Does anyone else know more about this and can verify if this information is accurate?
1 year ago
Now that I think about it, it is still a privacy issue, just not a security one, I suppose. ยท 1 year ago