Re: [TLS] HTTPS client-certificate-authentication in browsers

Martin Rex <mrex@sap.com> Wed, 07 September 2011 15:40 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA3721F8C6A for <tls@ietfa.amsl.com>; Wed, 7 Sep 2011 08:40:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.72
X-Spam-Level:
X-Spam-Status: No, score=-9.72 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMCbA6CYl-A6 for <tls@ietfa.amsl.com>; Wed, 7 Sep 2011 08:40:20 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBCC21F8C3A for <tls@ietf.org>; Wed, 7 Sep 2011 08:40:20 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id p87Fg6im017085 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Sep 2011 17:42:06 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201109071542.p87Fg51m028141@fs4113.wdf.sap.corp>
To: mrex@sap.com
Date: Wed, 07 Sep 2011 17:42:05 +0200
In-Reply-To: <201107290006.p6T06BD0012180@fs4113.wdf.sap.corp> from "Martin Rex" at Jul 29, 11 02:06:11 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: stefan.winter@restena.lu, tls@ietf.org
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2011 15:40:22 -0000

Sorry for the hardly-usable URL back then ($$-download of the
computer magazine article).  I didn't have the magazine with
me when I wrote that EMail.

The magazine article "iOpener" is a exploration of how easy it is
to access data on an Apple iPhone or iPad1, once you get your hands
on it, with publicly available information and tools.

It is based on this research and tools:

  Jean-Baptiste Bédrune, Jean Sigwald: iPhone data protection in depth

  http://conference.hackinthebox.org/hitbsecconf2011ams/materials/D2T2%20-%20Jean-Baptiste%20Be%cc%81drune%20&%20Jean%20Sigwald%20-%20iPhone%20Data%20Protection%20in%20Depth.pdf

that was presented on the hack-in-the-box 2011 conference

  Tools:
  http://code.google.com/p/iphone-dataprotection/
  http://code.google.com/p/networkpx/downloads/list


-Martin


Martin Rex wrote:
> 
> > 
> > This attitude was OK before we entered the "Google- and Apple-age".
> > It's an entirely different ball-game now!
> 
> Smart phones are already attractive targets for theft even with no
> additional digital gems added by the end user.  Significantly
> further increasing the attractiveness of that target for both,
> digital theft through malware and physical theft of the smartphone,
> does not seem overly sensible to me.
> 
> From what I read in the german computer magazine,
>   http://www.heise.de/artikel-archiv/ct/2011/15/154_kiosk
> 
> all existing iPhones and iPad1s seem to have the vulnerability
> in the Boot-Rom (i.e. Hardware, no possibility to fix by software update)
> that might enable thieves to bypass many if not all of the assumed
> "protections" and retrieve your private data.
> 
> 
> -Martin
>