7 Sep 22:00
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Eddy Nigg (StartCom Ltd. <eddy_nigg <at> startcom.org>
2007-09-07 20:00:52 GMT
2007-09-07 20:00:52 GMT
Arshad Noor wrote: > > My understanding of the TLS protocol is that the browser only sends > the certificates signed by CAs that the server trusts; are you saying > that the protocol allows for asking ANY certificate from the browser > cert-store, regardless of who signed it? > Yes, one can configure a web server to accept ANY certificate for client auth. -- -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom <at> startcom.org <xmpp:startcom <at> startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
RSS Feed