Full Disclosure mailing list archives
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: Alexander Klink <a.klink () cynops de>
Date: Fri, 7 Sep 2007 18:34:00 +0200
On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
However information stated in certificates signed by CAs isn't usually "private" and depending on the CA policy even published via directories and other different channels, so I'm not sure if this could be an invasion of privacy. Also tracking visitors can be done in different
Granted, if this is a "real" CA. But if you use it like in my PoC not for the typical CA scenario, but for user tracking, you could put all kinds of data in the certificate.
ways and doesn't have to be with cookies - again I'm not sure what's the difference.
Tracking visitors in an unnoticed way over several domains is typically not as easy as this, I believe.
Changing the default selection for certificate authentication could solve the problem you stated in any case.
Correct.
What other browsers do: - Firefox 1.5: Does not allow you to install a client certificate that is from a CA which you don't trust. I still believe this was a decent default setting.Are you sure there was a change? I don't remember this to be the case of pre-2.0 Firefox either.
I've actually tested that again and it also works in Firefox 1.5 - and even "better" there, because the certificate installation does not show any dialog at all. This reduces the visibility to a short key generation pop up! No idea why I thought it did not work in 1.5, though. Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink () cynops de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)