Dartmouth TR2004-489

	Dartmouth College Computer Science Technical Report series	CS home TR home TR search TR listserv
By author:	A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
By number:	2009, 2008, 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000, 1999, 1998, 1997, 1996, 1995, 1994, 1993, 1992, 1991, 1990, 1989, 1988, 1987, 1986

Keyjacking: The Surprising Insecurity of Client-side SSL
John Marchesini, Sean W. Smith, Meiyuan Zhao
Dartmouth TR2004-489

Abstract: In theory, PKI can provide a flexible and strong way to authenticate users in distributed information systems. In practice, much is being invested in realizing this vision via client-side SSL and various client keystores. However, whether this works depends on whether what the machines do with the private keys matches what the humans think they do: whether a server operator can conclude from an SSL request authenticated with a user's private key that the user was aware of and approved that request. Exploring this vision, we demonstrate via a series of experiments that this assumption does not hold with standard desktop tools, even if the browser user does all the right things. A fundamental rethinking of the trust, usage, and storage model might result in more effective tools for achieving the PKI vision.

Note: This TR supercedes TR2003-443. A preliminary version appeared in the proceedings of the 2nd Annual PKI Research Workshop in April of 2003.

PDF (148KB)

Bibliographic citation for this report: [plain text] [BIB] [BibTeX] [Refer]

Or copy and paste:
John Marchesini, Sean W. Smith, and Meiyuan Zhao, "Keyjacking: The Surprising Insecurity of Client-side SSL." Dartmouth Computer Science Technical Report TR2004-489, February 13,.

Notify me about new tech reports.

Search the technical reports.

To receive paper copy of a report, by mail, send your address and the TR number to reports AT cs.dartmouth.edu

Copyright notice: The documents contained in this server are included by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Technical reports collection maintained by David Kotz.