https://web.whatsapp.com/ only allows login through a cert (via a QR-code). Some banks also use this. A smartphone is used a a cert vault. Not a client cert in the traditional sense, though it's basically the same thing.
Nah it's not the same thing. Client Authenticated TLS provides a mutually authenticated channel. Mutually authenticated channels cannot be man-in-the-middled. The auth is happening at the transport layer.
A login through a QR code (basically a token) is just normal TLS with the same MiTM risk. Its just an application layer login.
I don't understand the security argument you're making. Are you claiming that, if I use client certs, I am protected against a rogue CA issuing a fake certificate for web.whatsapp.com? How?
If you're thinking of a protocol like Kerberos, then yes, you can derive a shared secret because there's a single-point-of-trust authentication entity (the KDC) which has knowledge of both your password and the server's password/key, and yes, your password certifies that you're talking to the right server (as long as the KDC is trustworthy). But that's not how TLS mutual auth works.
I've just set that up, thanks - the UX is brilliant, exactly what's needed to increase adoption. Of course, it requires that you've gone through the WhatsApp phone app setup, but I'm sure this model could be applied on an equivalent system - especially as smart phones are almost ubiquitous now.
How is it the same thing? If it's the system I'm familiar with (the QRCode is basically a OTP for your phone), then they're no where near "basically" or even any at all the same.
45h34jh53k4j|9 years ago
A login through a QR code (basically a token) is just normal TLS with the same MiTM risk. Its just an application layer login.
geofft|9 years ago
If you're thinking of a protocol like Kerberos, then yes, you can derive a shared secret because there's a single-point-of-trust authentication entity (the KDC) which has knowledge of both your password and the server's password/key, and yes, your password certifies that you're talking to the right server (as long as the KDC is trustworthy). But that's not how TLS mutual auth works.
piqufoh|9 years ago
jimktrains2|9 years ago
How is it the same thing? If it's the system I'm familiar with (the QRCode is basically a OTP for your phone), then they're no where near "basically" or even any at all the same.