Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

From: Arshad Noor <arshad.noor () strongauth com>
Date: Fri, 7 Sep 2007 10:04:53 -0400 (EDT)
Alex,

Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user?  If not,
how will the browser know which client certificate to send to 
the website during client-auth?  And what happens to the users
who do not have have client-certs issued by this CA when they
attempt to connect to the site?

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Alexander Klink" <a.klink () cynops de>

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: