8 Sep 03:03
Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Eddy Nigg (StartCom Ltd. <eddy_nigg <at> startcom.org>
2007-09-08 01:03:55 GMT
2007-09-08 01:03:55 GMT
Arshad Noor wrote: > They would know the CA that issued the particular client certificate and > include it in it's Request/Not require client auth message. > Actually funny that I never thought myself about such an option. But a competing CA could harvest the email addresses, which are usually present in client certs, of the competition and spam them for their services...good thought-- -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: startcom <at> startcom.org <xmpp:startcom <at> startcom.org> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
RSS Feed