0

I have a certificate that must be manually installed on my browser in order to have a secure connection with a specific website.

Are there known cases of malicious Javascript or Chrome/Firefox extension copying a certificate from a browser? And if yes, then how such attacks were/are even possible?

schroeder
  • 125,553
  • 55
  • 289
  • 326
KarmaPeasant
  • 115
  • 5
  • Any extension can do anything you could do by hand, if you gave the relevant permissions. I never heard of any attack like that, but it's possible. Very, very unlikely but possible. – ThoriumBR Jul 02 '18 at 16:33
  • A quick Google search shows: https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/december/an-attack-on-ssl-client-certificates/ https://security.stackexchange.com/questions/142011/stealing-client-certificate-using-cross-frame-scripting – schroeder Jul 02 '18 at 16:35
  • @thoriumbr Why unlikely? And what permissions do I need to grant to a Chrome extension in order to give it any chance to copy my certificate? – KarmaPeasant Jul 02 '18 at 18:15
  • @user161005 - Is the certificate meant to identify you (has a private key), or is it meant to identify the website (no private key)? In either case, any malicious extension could presumably just communicate directly with the website without informing you/displaying a tab (I don't know enough of Chrome, but it might be able to do that _without_ needing export access to the cert). Which would mean, in the former case, the only thing export access gets them is the ability to impersonate you while your computer is offline. – Clockwork-Muse Jul 02 '18 at 20:15
  • Actually, this sounds strange anyways; if the certificate is mean to identify you, and has a private key, only you should have the private key, and you should be generating the certificate yourself (although you may need to perform a signing request). Slightly user unfriendly, but a simple wizard could be created. If the certificate is meant to identify the website... it seems strange that the website wouldn't have it signed by a CA? – Clockwork-Muse Jul 02 '18 at 20:18
  • @clockwork-muse the certificate was issued to me, I think it means that it was meant to identify me. "only you should have the private key," and it seems to be the case. "and you should be generating the certificate yourself " the website generated certificate for me and I downloaded it. I don't understand what and why you find strange. – KarmaPeasant Jul 03 '18 at 02:19
  • The problem there is twofold: 1) The website can trivially know your private key (meaning they can impersonate you), and 2) The security channel for generating your identity is using some other lower-security process (hopefully regular HTTPS), and begs the question of why regular HTTPS+login wouldn't work normally. Also, if you're worried about a malicious browser plugin, you've already lost: anything you download is almost certainly under a lower security than the certificate store, to say nothing of an extension being able to manipulate the page in the first place. – Clockwork-Muse Jul 03 '18 at 15:46
  • @clockwork-muse "if you're worried about a malicious browser plugin. you've already lost " Firstly, not a plugin, but an extension. Secondly, I could generate the certificate before installing any extensions. – KarmaPeasant Jul 03 '18 at 16:21

0 Answers0