Home page logo
/

basics logo Security Basics mailing list archives

RE: Stealing certificates
From: "Walter Williams" <wbjw () mindspring com>
Date: Mon, 25 Nov 2002 07:27:57 -0500

Netscape has a problem with their method of requesting a certificate wherein
the private key can be stolen during the certificate request process.  Don't
trust Netscape browser clients.

Walt Williams, SSCP

-----Original Message-----
From: Rygg Christian [mailto:christian.rygg () edb com]
Sent: Wednesday, November 20, 2002 5:05 AM
To: 'SECURITY-BASICS () SECURITYFOCUS COM'
Subject: Stealing certificates


Hi,

I'm currently working on a security evaluation on a solution using https
based on server and client certificates (stored in the browser). I have
found the information I need on most areas, but I'm having a bit
of trouble
finding info on how easy/hard it would be for a hacker to steal a client
certificate. Does anyone know of a good resource for this kind of
information? Questions are along the lines of:

What weaknesses exist in the various browsers when it comes to
certificates?
How easy would it be for a trojan to extract a certificate (with private
key) from the various browsers?

PS: I have found quite a lot of information on other exploits like the bug
in IE that validates fake certificate as OK. Right now I'm just interested
in the possibility of stealing a certificate with private key from various
browsers.

Thanks in advance!

Christian Rygg


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]