Hi folks,
>From my understanding that if a TLS/SSL client is using client certificate, the compromise of its private key alone won't allow man-in-the-middle attack if ciphers are selected properly (of course anonymous ciphers are vulnerable) - as the man-in-the-middle cannot forge the signatures made by the server side. This being said, having other credentials, the hacker could impersonate the client whose private key was stolen. Now our security folks apparently hold the opposite view, can someone here help? Thanks in advance. Regards, Joe Guan
