RE: Stealing certificates

["Walter Williams" <wbjw () mindspring com>]

Netscape has a problem with their method of requesting a certificate wherein
the private key can be stolen during the certificate request process.  Don't
trust Netscape browser clients.

Walt Williams, SSCP

> -----Original Message-----
> From: Rygg Christian [mailto:christian.rygg () edb com]
> Sent: Wednesday, November 20, 2002 5:05 AM
> To: 'SECURITY-BASICS () SECURITYFOCUS COM'
> Subject: Stealing certificates
>
>
> Hi,
>
> I'm currently working on a security evaluation on a solution using https
> based on server and client certificates (stored in the browser). I have
> found the information I need on most areas, but I'm having a bit
> of trouble
> finding info on how easy/hard it would be for a hacker to steal a client
> certificate. Does anyone know of a good resource for this kind of
> information? Questions are along the lines of:
>
> What weaknesses exist in the various browsers when it comes to
> certificates?
> How easy would it be for a trojan to extract a certificate (with private
> key) from the various browsers?
>
> PS: I have found quite a lot of information on other exploits like the bug
> in IE that validates fake certificate as OK. Right now I'm just interested
> in the possibility of stealing a certificate with private key from various
> browsers.
>
> Thanks in advance!
>
> Christian Rygg