Netscape has a problem with their method of requesting a certificate wherein the private key can be stolen during the certificate request process. Don't trust Netscape browser clients.
Walt Williams, SSCP > -----Original Message----- > From: Rygg Christian [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 20, 2002 5:05 AM > To: '[EMAIL PROTECTED]' > Subject: Stealing certificates > > > Hi, > > I'm currently working on a security evaluation on a solution using https > based on server and client certificates (stored in the browser). I have > found the information I need on most areas, but I'm having a bit > of trouble > finding info on how easy/hard it would be for a hacker to steal a client > certificate. Does anyone know of a good resource for this kind of > information? Questions are along the lines of: > > What weaknesses exist in the various browsers when it comes to > certificates? > How easy would it be for a trojan to extract a certificate (with private > key) from the various browsers? > > PS: I have found quite a lot of information on other exploits like the bug > in IE that validates fake certificate as OK. Right now I'm just interested > in the possibility of stealing a certificate with private key from various > browsers. > > Thanks in advance! > > Christian Rygg
