7 Sep 18:57
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Eddy Nigg (StartCom Ltd. <eddy_nigg <at> startcom.org>
2007-09-07 16:57:49 GMT
2007-09-07 16:57:49 GMT
Hi Alexander, Alexander Klink wrote: > Granted, if this is a "real" CA. But if you use it like in my PoC not > for the typical CA scenario, but for user tracking, you could put all > kinds of data in the certificate. > That's right. Still I believe that the generation of a private key and issuance of the certificate is pretty "noisy". However I agree, some explanation would be better. Obviously on a CA, this process is explained at the web site, but as in your scenario, the user isn't supposed to know a lot about it....There is something to your claim.... > Tracking visitors in an unnoticed way over several domains is typically > not as easy as this, I believe. > Well ,well...> I've actually tested that again and it also works in Firefox 1.5 - and > even "better" there, because the certificate installation does not show > any dialog at all. Right! In 1.5 no "Installation Message" appears, which in 2.0 has been corrected. I suggest to file a bug with the request to change the default settings for handling certificate authentication. Please send the bug number, so we can vote for it... -- -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom <at> startcom.org <xmpp:startcom <at> startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
RSS Feed