[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

To: Alexander Klink <a.klink@xxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@xxxxxxxxxxxx>
Date: Fri, 07 Sep 2007 17:00:51 +0300

Alexander Klink wrote:

Here is how it works:
- Because Firefox's standard configuration is to automatically choose a
  TLS client certificate to be sent out, the certificate including
  the personal data will now be sent out to any website that requests it.
  Contrary to a typical cookie, this includes websites that are on a
  completely different domain. The user will not notice this at all.

Personally I'd prefer to have the default settings for "When a websiterequires a certificate" to be "Ask me every time". Specially if one hasvarious certificates from the same CA, the clueless user logs in alwayswith the first certificate on the list. Not really something one mightexpect.

However information stated in certificates signed by CAs isn't usually"private" and depending on the CA policy even published via directoriesand other different channels, so I'm not sure if this could be aninvasion of privacy. Also tracking visitors can be done in differentways and doesn't have to be with cookies - again I'm not sure what's thedifference. IChanging the default selection for certificateauthentication could solve the problem you stated in any case. Perhapsfile a bug for this?


What other browsers do:
- Firefox 1.5: Does not allow you to install a client certificate that
  is from a CA which you don't trust. I still believe this was a decent
  default setting.

Are you sure there was a change? I don't remember this to be the case ofpre-2.0 Firefox either.

--

Regards

Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         startcom@xxxxxxxxxxxx <xmpp:startcom@xxxxxxxxxxxx>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
  - From: Alexander Klink

References:
- [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
  - From: Alexander Klink

Prev by Date: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Next by Date: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Previous by thread: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Next by thread: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Index(es):
- Date
- Thread