Re: [TLS] HTTPS client-certificate-authentication in browsers

Peter Gutmann <> Thu, 28 July 2011 14:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7483B21F8C77 for <>; Thu, 28 Jul 2011 07:45:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.62
X-Spam-Status: No, score=-3.62 tagged_above=-999 required=5 tests=[AWL=-0.021, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oXl5E6eY2ZxN for <>; Thu, 28 Jul 2011 07:45:15 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1275F21F8C71 for <>; Thu, 28 Jul 2011 07:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=uoa; t=1311864315; x=1343400315; h=from:to:subject:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<> |,|Subject: =20Re:=20[TLS]=20HTTPS=20client-certificate-authenticatio n=20in=20browsers|In-Reply-To:=20<4E31299F.6060400@resten>|Message-Id:=20<E1QmRpn-0006TH-5l@login01.fos.auckla>|Date:=20Fri,=2029=20Jul=202011=2002:45:11=20+12 00; bh=m1c3An9jDVjwu30p55R65HaTMoz2FybN+ubxr4XVtVU=; b=rIVpVqPHP2WErY+tDW7XpMdrywTx0Xr7863YfNCG+U8maq2SA6W7g0zm zkOd1e1nU81oK+p5Wyzd1ZoORjYNln1UdEahb+iLOrgl8LHvzbWgTgt1U j/p8RqZWNwOVr7eYwwFS23nyXP9s/VbO5XQSrNxWLBsNnQ2bXB4QxteQG I=;
X-IronPort-AV: E=Sophos;i="4.67,282,1309694400"; d="scan'208";a="74606615"
X-Ironport-Source: - Outgoing - Outgoing
Received: from ([]) by with ESMTP/TLS/AES256-SHA; 29 Jul 2011 02:45:11 +1200
Received: from ([]) by with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <>) id 1QmRpn-0005Za-Gq; Fri, 29 Jul 2011 02:45:11 +1200
Received: from pgut001 by with local (Exim 4.69) (envelope-from <>) id 1QmRpn-0006TH-5l; Fri, 29 Jul 2011 02:45:11 +1200
From: Peter Gutmann <>
In-Reply-To: <>
Message-Id: <>
Date: Fri, 29 Jul 2011 02:45:11 +1200
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Jul 2011 14:45:16 -0000

Stefan Winter <> writes:

>Banking: These days, TAN lists are going away.

Is there any information on what's being done in countries like France, Italy,
the Netherlands, Spain, ...?  The only place where it's really documented (in
quite some detail) is Germany (with surrounding/similar countries like Austria
and Switzerland using equivalent approaches), but what are other countries in
Europe doing?  There's rather little information *from third parties, not the
vendors* publicly available on how e-banking is done in France, Spain, ...,
the pros and cons, how it deals with new attack types, and so on.

>a) cell phone transaction numbers:

The problem is that mTANs are vulnerable to smartphone malware, as Zeus has
already shown.  It's currently a minor threat, but who knows how far the bad
guys will take it.  On the whole though mTANs are a nice tradeoff, you get to
verify the transaction over an independent channel, and the mTAN is a
cryptographic hash over the transaction data so if a MITB tries to modify what
the browser sends it gets detected.