Document Type
Technical Report
Publication Date
2-10-2003
Technical Report Number
TR2003-443
Abstract
In theory, PKI can provide a flexible and strong way to authenticate users in distributed information systems. In practice, much is being invested in realizing this vision via client-side SSL and browser-based keystores. Exploring this vision, we demonstrate that browsers will use personal certificates to authenticate requests that the person neither knew of nor approved (and which password-based systems would have defeated), and we demonstrate the easy permeability of these keystores (including new attacks on medium and high-security IE/XP keys). We suggest some countermeasures, but also suggest that a fundamental rethinking of the trust, usage, and storage model might result in a more effective PKI.
Dartmouth Digital Commons Citation
Marchesini, John; Smith, S W.; and Zhao, Meiyuan, "Keyjacking: Risks of the Current Client-side Infrastructure" (2003). Computer Science Technical Report TR2003-443. https://digitalcommons.dartmouth.edu/cs_tr/209