Security Basics mailing list archives
RE: Stealing certificates
From: "Walter Williams" <wbjw () mindspring com>
Date: Mon, 25 Nov 2002 07:27:57 -0500
Netscape has a problem with their method of requesting a certificate wherein the private key can be stolen during the certificate request process. Don't trust Netscape browser clients. Walt Williams, SSCP
-----Original Message----- From: Rygg Christian [mailto:christian.rygg () edb com] Sent: Wednesday, November 20, 2002 5:05 AM To: 'SECURITY-BASICS () SECURITYFOCUS COM' Subject: Stealing certificates Hi, I'm currently working on a security evaluation on a solution using https based on server and client certificates (stored in the browser). I have found the information I need on most areas, but I'm having a bit of trouble finding info on how easy/hard it would be for a hacker to steal a client certificate. Does anyone know of a good resource for this kind of information? Questions are along the lines of: What weaknesses exist in the various browsers when it comes to certificates? How easy would it be for a trojan to extract a certificate (with private key) from the various browsers? PS: I have found quite a lot of information on other exploits like the bug in IE that validates fake certificate as OK. Right now I'm just interested in the possibility of stealing a certificate with private key from various browsers. Thanks in advance! Christian Rygg
Current thread:
- Stealing certificates Rygg Christian (Nov 21)
- RE: Stealing certificates Walter Williams (Nov 25)
- <Possible follow-ups>
- Re: Stealing certificates Adrian McCullagh (Nov 22)
- RE: Stealing certificates Rygg Christian (Nov 25)