I should add that of course I back up private keys, but in 20 years of using the web, I've not encountered a single other site that uses client certificates for authentication. I know it's more common in enterprise situations. I'm supposed to have a workflow to backup my browser client certificates just for one site? It's not their fault that browsers mostly have poor UI for handling client certs, but it is their fault for requiring them. Let's not even get started on what happens when you get chain problems, or if the client cert expires, or any of the myriad other ways it can go wrong. Just use 2FA like every other secure site, and I'll store a secure password in LastPass.
> I should add that of course I back up private keys, but in 20 years of using the web, I've not encountered a single other site that uses client certificates for authentication.
I don't know what you have been doing the last 20 years on the web (and I'll assume it's more than just surfing facebook), but it's not entirely uncommon, and I've encountered it several places.
Symantec's CA uses it. My online bank used to do so too. I've seen VPNs using it. Iirc some IPv6 tunnel-providers also require you to authenticate using certificates before letting you set up new IPv6 subnets.
It may not be mainstream, but it's part of the standard. And it's much more secure than a regular username/password, for the same reason SSH keys are more secure than allowing username/password logins.
The fact I'm on Hacker News should probably give you an idea. I know it's relatively common on corporate intranets, but I don't use those. I can assure you that I've used lots of CAs, banking sites, VPN providers, registrars, hosting providers (and plenty of others) and made no specific effort to avoid them, and StartSSL is (almost) the only one I've found. I've remembered that the UK Government Gateway used to use them about 10 years ago, but they were optional. My point was that you referred to all other security as "half-assed" (and implied I was too), which would make almost all other sites half-assed. Now there are a lot of sites with half-assed security, but I'm not sure you could call all of these half-assed: https://twofactorauth.org/http://www.dongleauth.info/
> My point was that you referred to all other security as "half-assed" (and implied I was too), which would make almost all other sites half-assed.
To be clear about that: My point about half-assed was your seeming unwillingness to back up client-certificates which gives full access to your real certificates and (in some cases) private certificate keys.
Unless on Windows (where StartSSL has its private keys marked non-exportable in the certificate store, sic), doing such a backup takes almost no effort. There's no excuse for going all the way through to get a cert and then not bothering backing up these client-certs too.
Even if it's easy (and it may be now - I haven't done it for a while), it's still a whole extra backup workflow, which I have to work out how to do for all different browsers, and if I'm on another machine work out how to import, and work out if it's possible on mobile, and oh look, my personal certificate has expired so I can't login to renew it so I need to create a new account to get a new certificate and email them to get the accounts merged...all for one site. Or
Good for you, I guess. I've yet to have letsencrypt work a single one of my websites and I'll stick to StartSSL until it there's something better around.
