Security Basics mailing list archives

Stealing certificates

From: Rygg Christian <christian.rygg () edb com>
Date: Wed, 20 Nov 2002 11:05:22 +0100

Hi,

I'm currently working on a security evaluation on a solution using https
based on server and client certificates (stored in the browser). I have
found the information I need on most areas, but I'm having a bit of trouble
finding info on how easy/hard it would be for a hacker to steal a client
certificate. Does anyone know of a good resource for this kind of
information? Questions are along the lines of:

What weaknesses exist in the various browsers when it comes to certificates?
How easy would it be for a trojan to extract a certificate (with private
key) from the various browsers?

PS: I have found quite a lot of information on other exploits like the bug
in IE that validates fake certificate as OK. Right now I'm just interested
in the possibility of stealing a certificate with private key from various
browsers.

Thanks in advance!

Christian Rygg

Current thread:

Stealing certificates Rygg Christian (Nov 21)
- RE: Stealing certificates Walter Williams (Nov 25)
- <Possible follow-ups>
- Re: Stealing certificates Adrian McCullagh (Nov 22)
- RE: Stealing certificates Rygg Christian (Nov 25)