Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
1a527dd5 8 hours ago

Anyone else got a really weird Chorme pop-up asking which cert to use for su3.io:443?

Very bizarre, never seen that before.

Thumbprints:

  - 60949a09aab8677f87a0b9eda7099a03ca510fb3
  - 1b146798f0dc93773247e86312f1b730c4eeebb3
KronisLV 7 hours ago | parent | next [-]

> Very bizarre, never seen that before.

For my own stuff that's not meant for a wider audience, I sometimes use mTLS in front of my apps, alongside self-signed certs (my own CA) that shouldn't show up in certificate transparency logs.

This site also seems to be requesting a certificate from the user. Normally you probably don't want that for public facing resources.

sunaookami 7 hours ago | parent | prev | next [-]

Same on Firefox

embedding-shape 7 hours ago | parent | prev | next [-]

Here it attempts to read my personal certificate that sits in the browser that I use for filling my taxes and do government stuff, suspicious indeed.

cmgbhm 6 hours ago | parent | next [-]

That’s likely just the side effect of supporting mtls. Mutual TLS came around at the same time as Microsoft did implicit network auth. Seemed magical at the time and so hare brained for eons of problems. The user side tls never caught on in most circles and still has the ancient sharp edges

iknowstuff 4 hours ago | parent [-]

Could probably buff it with passkeys these days

https://www.passkeyprf.com/

naturalmovement 4 hours ago | parent | prev | next [-]

That's literally how client certificates work.

It's not attempting to "read" anything, nor is it the least bit suspicious or malicious.

Your browser was asked if it would like to present a certificate to authenticate, and you were prompted to choose one if you please. You can also hit cancel as client auth can be optional and the server will either serve you the page or a 401/403.

It's like being asked to show ID to enter a pub, you can either show one or decline, and they may or may not let you enter based on that transaction.

TurdF3rguson an hour ago | parent [-]

It's a little suspicious. Why are they doing something that no other website in the world does? I was curious about zero-whatever but not enough to do whatever this is.

naturalmovement 43 minutes ago | parent [-]

Bruh it's one line in nginx config.

> that no other website in the world does

That you know of. Anywhere with stringent security it's everywhere.

mook 6 hours ago | parent | prev [-]

That's because the client certificate interface in browsers is supremely dumb. It always just lists all certificates you have, with very little context in the UI, and hopes that's good enough. I believe that's part of the reason client certificates are not poplar; having actual users deal with that is terrible, and the browsers (in practice, Chrome because of its overwhelming market share) isn't incentivized to fix it.

Avamander 3 hours ago | parent | next [-]

Servers can communicate their preference in terms of CAs they want. But the UX in browsers is unbelievably horrible for no good reason.

Not only is it difficult for an user to make a proper selection, it's also hard to fix a wrong one. The error pages are also terrible. There's no way for the site owner to request that when the navigation to the (auth) page fails, redirect back. Nope, no way to do error handling without some really clever iframe stuff and even then it's way too opaque.

God forbid you have to deal with CORS + mTLS.

elevation 2 hours ago | parent [-]

> God forbid you have to deal with CORS + mTLS

As someone who is about to deal with exactly this, what kind of trouble am I in for?

4 hours ago | parent | prev [-]
[deleted]
linsomniac 7 hours ago | parent | prev | next [-]

Same on Arc

jorl17 7 hours ago | parent | prev [-]

Same on Zen