Full Disclosure mailing list archives

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

From: Alexander Klink <a.klink () cynops de>
Date: Fri, 7 Sep 2007 18:34:00 +0200

On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:

However information stated in certificates signed by CAs isn't usually 
"private" and depending on the CA policy even published via directories 
and other different channels, so I'm not sure if this could be an 
invasion of privacy. Also tracking visitors can be done in different

Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.

ways and doesn't have to be with cookies - again I'm not sure what's the 
difference.

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

Changing the default selection for certificate 
authentication could solve the problem you stated in any case.

Correct.

What other browsers do:
- Firefox 1.5: Does not allow you to install a client certificate that
  is from a CA which you don't trust. I still believe this was a decent
  default setting.

Are you sure there was a change? I don't remember this to be the case of 
pre-2.0 Firefox either.

I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all. This reduces the visibility to a short key generation
pop up! No idea why I thought it did not work in 1.5, though.

Best regards,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink () cynops de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
  - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
  - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates niclas (Sep 09)