Today i faced a web site related to government that showed me all of my certificates in a combobox for authentication on that web site.
What were those certificates?
How can i show them in a asp.net web site?
Can browser access to those certificates?
If yes, Why there is such that access?
Can some body steal them and use them for Man In The Middle attack?
I Found this about stealing digital certificates :
Why Steal Digital Certificates?
Please give me some advice on this.
- 101
- 7
1 Answers
The website didn't show you anything. The server invoked a rarely-used option in the SSL/TLS protocol -- nowadays TLS1.2 RFC5246 7.4.4 or TLS1.3 RFC8446 4.3.2 -- asking the client, which is the browser, to authenticate using a certificate. The browser displayed a list of suitable certificates -- those installed in your system or browser for which you have a privatekey, and which are from a CA specified by the server (if it does so) -- for you to select from. Often browsers can be configured to skip this dialog if there is only one suitable choice (and just use it), and if there is no suitable choice they always skip the dialog and tell the server 'no cert for you', after which the server decides whether to let you connect with no cert (possibly allowing only restricted functionality in this case) or to reject the connection entirely.
How can i show them in a asp.net web site?
You can cause the browser to show them by requesting client authentication aka client certificate. I don't use asp.net, and questions about programming specific software are offtopic here anyway, but a quick search finds Microsoft doc and the following 'down the hall':
https://stackoverflow.com/questions/35582396/how-to-use-a-client-certificate-to-authenticate-and-authorize-in-a-web-api
https://stackoverflow.com/questions/53761660/net-core-web-api-with-client-certificate-authentication
https://stackoverflow.com/questions/60477579/certificate-authentication-implementation-in-asp-net-core-3-1
Can browser access to those certificates? If yes, Why there is such that access?
Absolutely. The browser must access the cert (including the privatekey which is associated with but not strictly speaking part of the cert) in order to carry out the authentication procedure as defined in the SSL/TLS protocol and requested by the server. That's the way the server determines you are who you claim to be.
Can some body steal them and use them for Man In The Middle attack?
Not by themselves. Someone who steals your cert and privatekey can impersonate you. For example if this government website allows citizens to sign up for military service, someone could use your cert-and-key to enlist you without you knowing anything about it, and when the bus shows up at your house at 5am one morning to take you to basic training you'll be unpleasantly surprised.
But having your cert doesn't enable someone to impersonate any website, including the government one, to you, which is the goal of a MitM. For that they must either insert, or get you (or some other authorized person) to insert, a Certificate Authority (CA) certificate in your system or browser. Now, any malefactor who has enough access to steal your cert probably has enough access to also insert a CA cert, so you are at risk from that attacker, just not from the attack you asked about.
- 10,064
- 1
- 26
- 29
-
3I doubt that they are rarely used - they're quite common in internal networks. – May 01 '22 at 00:47
-
1@MechMK1: The source for that is also 11 years old. Back then, Internet Explorer was more common than Google Chrome. – Esa Jokinen May 01 '22 at 05:22
-
Even if the question is about websites, TLS is also used by a ton of other things, and lots of other protocols do need mutual authentication in which case client certificates may/can be used. – Patrick Mevzek May 03 '22 at 03:56