Full Disclosure mailing list archives
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg () startcom org>
Date: Fri, 07 Sep 2007 17:00:51 +0300
Alexander Klink wrote:
Personally I'd prefer to have the default settings for "When a website requires a certificate" to be "Ask me every time". Specially if one has various certificates from the same CA, the clueless user logs in always with the first certificate on the list. Not really something one might expect.Here is how it works: - Because Firefox's standard configuration is to automatically choose a TLS client certificate to be sent out, the certificate including the personal data will now be sent out to any website that requests it. Contrary to a typical cookie, this includes websites that are on a completely different domain. The user will not notice this at all.
However information stated in certificates signed by CAs isn't usually "private" and depending on the CA policy even published via directories and other different channels, so I'm not sure if this could be an invasion of privacy. Also tracking visitors can be done in different ways and doesn't have to be with cookies - again I'm not sure what's the difference. IChanging the default selection for certificate authentication could solve the problem you stated in any case. Perhaps file a bug for this?
Are you sure there was a change? I don't remember this to be the case of pre-2.0 Firefox either.What other browsers do: - Firefox 1.5: Does not allow you to install a client certificate that is from a CA which you don't trust. I still believe this was a decent default setting.
--Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom () startcom org <xmpp:startcom () startcom org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)