-3

Is it possible to embed a TLS certificate into an application or hide it somehow so that it’s not so easy for a user to just export it from cert manager on Windows? Or does all certificates have to be stored in the manager?

Spyros
  • 1,451
  • 1
  • 14
Q-bertsuit
  • 537
  • 1
  • 4
  • 7
  • 4
    Why would exporting a certificate be a problem? Certificates are meant to be public info. Unless you are referring to the corresponding private key, are you? – Spyros Nov 22 '22 at 07:41
  • 1
    Certificates and keys can be embedded into the application, stored as extra files, ... . Private keys can be stored externally on a smartcard, HSM ... . Details depend on the specific application, software library, framework etc. – Steffen Ullrich Nov 22 '22 at 08:12
  • Yes, I mean the corresponding private key as well. I would like to make it a little more difficult for someone with admin rights to just export the certificate and run Wireshark to decrypt my HTTPS traffic from my app running on the same machine – Q-bertsuit Nov 22 '22 at 08:32
  • @Q-bertsuit Give up. DRM doesn't work. – vidarlo Nov 22 '22 at 08:42
  • @vidarlo Whats DRM? – Q-bertsuit Nov 22 '22 at 08:49
  • Why do you need to protect the machine from itself? DRM = Digital Rights Management. It's a mostly failed practice that only frustrates non-technical users from easily breaking it. If you need to protect the machine from itself, you have a design or a logic flaw somewhere. – schroeder Nov 22 '22 at 08:59
  • We have many, many questions on this site about how to embed secrets in applications. There are many ways to do it depending on your application. https://www.google.com/search?q=embed+private+key+in+application+site:security.stackexchange.com But it's never fool-proof. – schroeder Nov 22 '22 at 09:00
  • Instead of using a client certificate you can simply use certificate or public-key pinning (e.g. on the root CA certificate key). A hash of a certificate or a key is smaller and easier to hide. And once it has been found the protection is still intact unless you modify the binary whereas an extracted private key can be published and simplifies TLS interception for everybody. – Robert Nov 22 '22 at 19:13

1 Answers1

0

A program can get its input from anywhere it has access to. This includes the internet, the standard input (e.g. keyboard), the filesystem, shared memory and its own code.

This means that yes, you can store in the program code certificates, private keys and anything else you may find it useful for the program to work the way you want.

But it's not secure.

Storing critical information (e.g. access keys) where a user has read access to and expecting that the user won't find it, has been tried many times in the past (a notable case being DRM) but has failed in every case.

Spyros
  • 1,451
  • 1
  • 14