[alexw91]

That's not how the TLS handshake works. The TLS server must be configured to request a certificate from the client in order for the client to know that it needs to send a client certificate to the server, and that server-side configuration is disabled for ~99%+ of endpoints.

TLS server implementations should be aborting the TLS connection for violating the TLS Handshake state machine if a client attempts to send a client certificate when it wasn't requested.

So while this bug affects both clients and servers, 100% of clients are parsing the server's TLS cert during the TLS handshake, but less than ~1% of servers are parsing a client's certificate during a handshake.

[lmilcin]

There is very little reason to DOS a client and a lot of reasons to attack servers.

There is a huge number of public facing services that implement mutual auth and all those are potentially vulnerable to DOS. While clients can just decide to not connect to a web service that causes their browser to malfunction (and why have you connected there in the first place?), services are usually not at liberty to ignore a client at this stage.

So yes, those servers that do request client certificate are targets and my point still stands that servers are much more affected than the clients.

What would be an affected client? You keep connecting to this infected website that causes your browser to die? Somebody embedded some tracking on their page that now points to an infected website? Everybody will just move on and it is hard to say you are very much affected by this problem.

Whereas if you are a service and you are affected you absolutely need to implement a fix.

[unixbane]

correction: literally 99.99999% of endpoints. they use password^W SMS authentication instead. no seriously, how is the only one good thing about X.509 (authentication via public key) the only unused part (to be fair, if anyone used it, wed have a whole new 10 episodes of vuln disclosures).

[lmilcin]

> correction: literally 99.99999% of endpoints.

You made up a number with no grounding in reality because of your bias due to being "general public".

For corporate services it is actually quite common to use client certificates and mutual auth. Also popular with VPNs.

You might not be aware of this because corporations do not want to deal with people who do not know or can be forced to know how to generate signing request.

This is different when you control both the service and the users of the service and you have something valuable to protect.

As an example, I worked with credit card terminals and these used mutual auth with properly managed client certificates.

You wouldn't call DOS on all terminals and ATMS "insignificant".

[unixbane]

No, I was purely focused on public web. As for your corporate services, those are all insecure as hell despite whaever tech they use. Anything that's remotely hidden from public in any way historically was uncovered to have non stop, gaping, and obvious security holes, even after being corrected 1-5 times. This is a result of the way businesses are run as miniature reactionary states ("just ban people in the firewall brother. call the police").