1

If i want to use client certificates for authentication to a certain part of my website, is it possible to make the client certificate only work on a certain domain name?

I know when requesting the client certificate you can request the CA. But i want it so if my site is domain.com and the client visits a fake website domainn.com then when the client certificate is requested on that fake website it will be impossible for the real client certificate to be used as it wont match to the correct domain.

Improve this question
2
  • 2
    What's your concern with cert reuse?
    – Neil Smithline
    Commented May 22, 2018 at 3:20
  • Would fake website domainn.com be any less convincing if it does not retrieves the client certificate?
    – curiousguy
    Commented May 24, 2018 at 9:16

1 Answer 1

Reset to default
2

You can't regulate where the cert goes as it's handled by the client (browser in your case). There's nothing in a client cert to restrict it to specific domains. The browser is free to send it wherever it wishes. There are settings in the browser that lets users control where the certs go, but that too is out of your control.

That said, I'm not sure why you care who gets the cert. If you're using client certs, there's no chance of phishing or MiTMing.

Improve this answer
11
  • do you know of any documents that go into detail of how phishing is not possible?
    – PixelPaul
    Commented May 22, 2018 at 23:49
  • Phishing attacks credentials - passwords and sometimes OTPs (eg: Google Authenticator). When you're using client certs, you generally don't have passwords. If you're using passwords with client certs as a 2FA, then phishing would be possible, though the user would likely get a browser popup asking them to select the cert for the website. And they still wouldn't get the cert's private key as that is never transmitted. So it is safe against all but browser vulnerabilities and malware installed on the computer.
    – Neil Smithline
    Commented May 23, 2018 at 15:00
  • 1
    What are you concerned that will be phished?
    – Neil Smithline
    Commented May 23, 2018 at 15:01
  • Phishing is always "possible", it's a user issue: as long as a user is willing to enter data in a form in a random website, and able to connect to that website (not possible if you're on an intranet with only access to a few white listed legit domains), and able to remember that secret code (not possible if you don't remember the code and have a browser autofill feature that only works on a given domain), phishing is possible.
    – curiousguy
    Commented May 24, 2018 at 9:14
  • @curiousguy I'm not sure how phishing is possible if mutual auth SSL is the only authentication in use,. What would be phisbed? The private key? Seems unlikely to me.
    – Neil Smithline
    Commented May 25, 2018 at 2:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .