[unixbane]

correction: literally 99.99999% of endpoints. they use password^W SMS authentication instead. no seriously, how is the only one good thing about X.509 (authentication via public key) the only unused part (to be fair, if anyone used it, wed have a whole new 10 episodes of vuln disclosures).

[lmilcin]

> correction: literally 99.99999% of endpoints.

You made up a number with no grounding in reality because of your bias due to being "general public".

For corporate services it is actually quite common to use client certificates and mutual auth. Also popular with VPNs.

You might not be aware of this because corporations do not want to deal with people who do not know or can be forced to know how to generate signing request.

This is different when you control both the service and the users of the service and you have something valuable to protect.

As an example, I worked with credit card terminals and these used mutual auth with properly managed client certificates.

You wouldn't call DOS on all terminals and ATMS "insignificant".

[unixbane]

No, I was purely focused on public web. As for your corporate services, those are all insecure as hell despite whaever tech they use. Anything that's remotely hidden from public in any way historically was uncovered to have non stop, gaping, and obvious security holes, even after being corrected 1-5 times. This is a result of the way businesses are run as miniature reactionary states ("just ban people in the firewall brother. call the police").