|
|
|
|
|
|
by darkhorn
657 days ago
|
|
|
What do you mean? I think that you mean giving token/passwords to the browser. And by pressing the phisical button you ensure that you don't give it to another web site. Cline side certificate works only for the given specific domain and it automatically recognizes you. I forgot the specifics but it only works for a specific domain. You cannot use it for another domain even if you want. |
|
|
If you have client certs installed and ready for use, especially with automatic selection, a rogue but otherwise "trusted" server can request your certificate by its issuer DN and, even though you may not directly provide any other information, any details about your identity present on the certificate can then be seen by that server.
Even so, thanks to the underlying security model of TLS, giving your cert to a rogue server still doesn't directly open up any confused deputy or MITM risks though, as far as I know, which is more relevant to the comparison with Yubikeys. Certificates, even client certificates, are meant to be "public", and the mere possession of one proves nothing; no certificate should be trusted until the party presenting it can prove it has the associated private key.
Corroborating SO answer: https://serverfault.com/a/1086000