lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4437E17C.7030902@nisu.org>
Date: Sat Apr  8 17:15:12 2006
From: mm.disclosure at nisu.org (Manuel Mollar Villanueva)
Subject: Removing certificates on MS Windows.

Hi,
This applies for all MS Windows versions.

If you have a certificate installed on HD (i.e. using the MS Enhaced 
CSP), then, following Microsoft, you can remove it using IExplorer, on 
the *Tools* menu, you click *Internet Options*, then you click the* 
Content* tab, and then click Remove. This is a well known action 
described in 
http://www.microsoft.com/technet/prodtechnol/ie/reskit/6/part2/c06ie6rk.mspx?mfr=true

Doing this, you effectively remove the certificate, but THE PRIVATE KEY 
REMAINS IN THE HD.
You can find a lot of scenarios where this can be a problem. Suppose you 
go to a friend's home, you install a pkcs12 file containing your 
certificate and private key with "Medium" security level (the default), 
then you use it, and when you finishes your work, you remove the 
certificate (but NO the private key). Then your friend takes your 
certificate (is a public document) and installs it, having your private 
key working for him.

The program cleancapi deletes the private keys that are not used by any 
certificate.
Source code: http://dwnl.nisu.org/dwnl?fic=cleancapi_0_2_src.zip
Precompiled version: http://dwnl.nisu.org/dwnl?fic=cleancapi_0_2_bin.zip

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ