Full Disclosure mailing list archives
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg () startcom org>
Date: Fri, 07 Sep 2007 19:57:49 +0300
Hi Alexander, Alexander Klink wrote:
That's right. Still I believe that the generation of a private key and issuance of the certificate is pretty "noisy". However I agree, some explanation would be better. Obviously on a CA, this process is explained at the web site, but as in your scenario, the user isn't supposed to know a lot about it....There is something to your claim....Granted, if this is a "real" CA. But if you use it like in my PoC not for the typical CA scenario, but for user tracking, you could put all kinds of data in the certificate.
Tracking visitors in an unnoticed way over several domains is typically not as easy as this, I believe.
Well ,well... ;-)
Right! In 1.5 no "Installation Message" appears, which in 2.0 has been corrected. I suggest to file a bug with the request to change the default settings for handling certificate authentication. Please send the bug number, so we can vote for it...I've actually tested that again and it also works in Firefox 1.5 - and even "better" there, because the certificate installation does not showany dialog at all.
--Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom () startcom org <xmpp:startcom () startcom org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)