Full Disclosure mailing list archives
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: Alexander Klink <a.klink () cynops de>
Date: Fri, 7 Sep 2007 20:10:23 +0200
Hi Peter, On Fri, Sep 07, 2007 at 07:31:59AM -1000, Peter Besenbruch wrote:
Alexander Klink wrote: > ... I realised that you can do something with Firefox 2.0.x that > you could not do with Firefox 1.5.x: track an unsuspecting user > using TLS client certificates.
Actually, this summary is no longer true, works even better in 1.5 ;-)
While I can see the same use here, it seems you are saying anyone could have a look at certificates on your system, while cookies generally are limited to viewing by the issuing domain. What I don't understand is if there is a simple of knowing what certificate to ask for? For this to be
No, you can't really 'ask' for a certificate - the user chooses it (or, in this case, the browser does so automatically).
to issue a "give me all your stored certificates" command? The follow-on link to Apache's cert-export page can't seem to do that. I made two certs and the cert-export page grabbed that last one.
Correct, this is Firefox's way of automatically choosing one. I'd suspect most users don't have any TLS client certificates though.
Oh well, time to change Firefox's default certificate handling.
I agree: https://bugzilla.mozilla.org/show_bug.cgi?id=395399 Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink () cynops de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Brendan Dolan-Gavitt (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Peter Besenbruch (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Erik Tews (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Eddy Nigg (StartCom Ltd.) (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)
- Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Alexander Klink (Sep 07)