Hacker News new | ask | show | jobs
by bgidley 3698 days ago
This is unlikely to work - developers in general can't cope with managing SSL certificates. They won't know what to do with them or handle them securely.

You need full integrity verification, with a secure store and whitebox crypto keys to make such a scheme secure.
4 comments
gyre007 3698 days ago
I gathered the target group are developers. Devs should be capable of dealing with this if they want higher security.
link
bgidley 3698 days ago
Even dev's can't cope. Most apps leak credentials severely. You need integratity verification, obfuscation and whitebox crypto to do this sort of thing securely.

All of that is available in the banking world and is often deployed by people like Irdeto (who I work for) and Arxan etc.

link
gyre007 3698 days ago
Is that why irdeto.com does not use SSL on their site? Because you're not willing to manage SSL certificates?
link
jessaustin 3698 days ago
Wow it doesn't even redirect 443 it just hangs...
link
komali2 3698 days ago
This illustrates a question for my I've been wondering for a while - while each developer on a project should have a good idea of security best practice, is it worth it for each to be an expert in security? I've always felt that there should be a member (or team, depending on project scale) for each project who is a "security expert" and can guide decisions for security best practice. So the developers can be aware that they need to tie in an API key at some point, and the security expert can guide the best way to implement that.
link
atonse 3698 days ago
> developers in general can't cope with managing SSL certificates

I'd say the same but they've done just fine publishing anything to the App Store, which uses certs everywhere. And it was even worse the first few years.

link
duaneb 3698 days ago
> I'd say the same but they've done just fine publishing anything to the App Store, which uses certs everywhere.

"Just fine" is a relative term here. It's still a shit show managing them—AFAIK XCode is the only realistic option, which makes me want to remove my eyes with forks.

link
sjtgraham 3698 days ago
If you can cope with OAuth you can definitely manage TAuth. The cert and private key are just opaque things you pass to any HTTP client.
link
bgidley 3698 days ago
I agree - but as you say OAuth also suffers from MITM weaknesses. I'm just not convinced 'plain' client certs solve that as it's very hard to distribute those securely and manage them. I guess it depends where you see these being used, if used Server to Server it's not too bad, but if pushed out mobile devices (as I suspect they will be) they are very likely to leak unless strong app protection is applied.

If you're banking on strong app protection working you really need to be notified of it's state on the server which this won't do, you need to use a securely signed message from the verification/protection libraries on the client.

That can be done by storing this key into a cryptographic whitebox and then linking using it to integrity verification.

link
sjtgraham 3698 days ago
This is the first version of TAuth where only server apps are in scope. Work is already underway on the solution for Mobile… Teller will need it soon for upcoming products.
link
ForHackernews 3695 days ago
> developers in general can't cope with managing SSL certificates

https://news.ycombinator.com/item?id=11637700

link