2011-02-11

Security "features" that hurt good guys more than bad

So, you're using Windows, and you want to enroll for a public key certificate.

You open up your Internet Explorer (because other browsers don't work), apply for the certificate, pay for it, receive it, and you think all is dandy.

Then, you want to export the certificate so that you can use it on another machine.

No go.

In their infinite wisdom, developers of Windows Vista made it so that private keys for certificates requested through the browser are automatically marked unexportable.

This is to "protect" the private key. You can't back it up or use it on another machine, but the bad guys also can't export it from your computer behind your back. Right?

Except the bad guys can. The private key is, obviously, stored on the machine. The operating system has to access the private key in order to ever use it. So the private key is there. All you need is a third party utility, such as Jailbreak, to work around the "protection", and there you go, you can export the key.

The only people actually hurt by this stupid design decision are people who want to be careful and responsible, and do not want to risk running an untrusted third party hack with administrative permissions.

Those people have to revoke their certificate, install Windows XP in a virtual machine, and request a new certificate from there, because Windows XP did actually allow the key to be exported.

Gah!

2 comments:

Anonymous said...

If you "dowload" (create) a personal digital certificate for a first time, then its private key is "marked as exportable". If you import the certificate from (for example) .pfx file and you don't check "Mark the private key as exportable", you cannot export the private key (without a hack). And yes, this is stupid. And yes, i know it's an old post. :-)

denis bider said...

My experience was that, on Vista:

(1) there is no user interface allowing you to mark the private key as exportable when applying for the certificate, and

(2) the private key does end up being marked as unexportable.

Are you saying this is not the case?