We @wonderproxy use client side certificates to protect resources that only employees should access.

preinheimer@phpc.social

We @wonderproxy use client side certificates to protect resources that only employees should access.

I love it. There's a bit of initial work when someone new starts, but that's about it.

It doesn't matter how much I screw up in a bunch of code because the webserver will not connect to a browser on those domains/directories.

josh@joshbutts.social

@preinheimer @wonderproxy I've considered this many times. Ultimately we use Cloudflare Access to protect these things but they also offer that as an additional layer. At scale it always just felt like it was alot of IT work when it's [hundreds] of people.

preinheimer@phpc.social

@josh It's extra work for sure. I will say my last employer installed client side certs on all machines before handing them to end users, and it worked well there.

guillaumerossolini@infosec.exchange

@preinheimer I used this exact method at my previous place where most of the team (20 people) worked on site, so the likelihood of a computer theft was limited to very few people

It was working great, people loved not having to type in passwords and the direction LOVED not having this as a possible leak

Trying to access our backends required a client certificate that you could only issue from within the office

And I know that knowledgeable folks would have thrown me under the bus for many technically valid reasons —I think it was Ryan Sleevi perhaps? On a different social media that is no longer searchable

Nowadays I’d add a login screen with a password manager deployed to everyone, so that the friction wouldn’t be too high, but the client cert would stay, if not for authentication of the individual, at least as a nice layer.