[naturalmovement]

That's literally how client certificates work.

It's not attempting to "read" anything, nor is it the least bit suspicious or malicious.

Your browser was asked if it would like to present a certificate to authenticate, and you were prompted to choose one if you please. You can also hit cancel as client auth can be optional and the server will either serve you the page or a 401/403.

It's like being asked to show ID to enter a pub, you can either show one or decline, and they may or may not let you enter based on that transaction.

[TurdF3rguson]

It's a little suspicious. Why are they doing something that no other website in the world does? I was curious about zero-whatever but not enough to do whatever this is.

[solid_fuel]

> Why are they doing something that no other website in the world does?

Clearly other sites do since the user who shared the anecdote has certificates already configured in their browser? It's uncommon but pretty easy to understand how this happened.

Bear in mind, this is public/private key crypto so it's not like the site is asking for your facebook password or something. The site owner has no way to reuse a certificate to imitate the user.

[denkmoon]

Plenty of sites do this, you just don't interact with them. Corp and govt intranets love this stuff.

[TurdF3rguson]

Right, I've interacted with them when I had to for work. I wouldn't post any of them on HN though.

[naturalmovement]

Bruh it's one line in nginx config.

> that no other website in the world does

That you know of. Anywhere with stringent security it's everywhere.