1

I use Windows 8.1 Pro 64 bit and IE11. I have two personal certificates (with private key) of mine in the system certificate store. They are both set to require a password before they can be used.

This worked until a few days ago. Then I noticed that one of them is accessible without a password. How could that happen?

What I normally do is:

  • I open a HTTPS website that requires certificate auth
  • the dialog pops up to select a certificate (only one is offered, based on the CA, each of my certs are from different CAs)
  • after I select it, another system dialog appears, asking to grant or deny access to the certificate and for granting, I must enter the password
  • after entering the correct password, the website loads

This worked like this for both of the certificates (each used on a different website). But recently, one certificate does not require the password any more. I can just select it and use it to access the website. The other still requires the password.

To check my memory is not playing tricks with me, I restored a system image backup a few month old. It has Windows 8 Pro and IE10. There both certificates ask for a password. (I upgraded that system to Windows 8.1 via the Windows Store).

I don't see a way to change the security level of certificates after they are imported, so I did not do it myself and the forget about it.

I can re-import the certificate and set a password for it, but the question is, how did this happen? I checked the PC for malware (booting from a USB key: HBCD and Ubuntu) and found nothing.

David Balažic
  • 179
  • 1
  • 10
  • I installed Google Chrome and it behaves the same: one certificate requires the password, the other is usable without any password. – David Balažic Nov 27 '13 at 15:17

2 Answers2

1

Security levels on private keys in Windows are a rather complex subject; in particular, there are options for activating or deactivating the password, and for caching the password in memory. See this blog post for an introduction. Notably, the protection level for a given key is not intrinsically immutable; it may be changed. Possibly, Windows 8.1 changed some default behaviour; or maybe some action on your part, that you do not remember (that's not a blame; there are way too many popups in Windows to realistically expect to remember them all and miss none), changed the protection level at a time which fortuitously happened to be after your last pre-8.1 backup. In any case, you could go inspect the current status of your private keys and change it according to your wishes.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
0

What I saw in Windows 8 is that you only have to enter your password once per session. Windows remembers it. If you restart the computer however you will be asked again for the password...

Anyway I always thought Microsoft treats the security of our private keys very lightly. Using metaphore, it is as if they said: "We put a lock on your door, that is secure, so we can store the key on a nail in the wall. And if you really want top security hide it under the doormat"

kamouille
  • 1