Full Disclosure mailing list archives

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

From: "Brendan Dolan-Gavitt" <mooyix () gmail com>
Date: Fri, 7 Sep 2007 13:22:34 -0400

It occurs to me that this could be used to good effect to track someone
using Tor across various domains you control. Most Tor users know to kill
JS, Flash, and are more than normally paranoid about cookies, but may not
think twice about accepting a client certificate. I'm CC'ing the Tor mailing
list to see what they think...

Can anyone see if this works through Privoxy and the other things in the
standard Tor bundle?

-Brendan

On 9/7/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg () startcom org> wrote:


 Hi Alexander,

Alexander Klink wrote:

Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.

 That's right. Still I believe that the generation of a private key and
issuance of the certificate is pretty "noisy". However I agree, some
explanation would be better. Obviously on a CA, this process is explained at
the web site, but as in your scenario, the user isn't supposed to know a lot
about it....There is something to your claim....

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

 Well ,well... ;-)

I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all.

 Right! In 1.5 no "Installation Message" appears, which in 2.0 has been
corrected. I suggest to file a bug with the request to change the default
settings for handling certificate authentication. Please send the bug
number, so we can vote for it...

--
  Regards      Signer:  Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  startcom () startcom org  Blog:  Join the Revolution!<http://blog.startcom.org>
Phone:  +1.213.341.0390

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
  - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
  - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
    - Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates niclas (Sep 09)