[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

To: full-disclosure@xxxxxxxxxxxxxxxxx, dev-security@xxxxxxxxxxxxxxxxx, dev-tech-crypto@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
From: Arshad Noor <arshad.noor@xxxxxxxxxxxxxx>
Date: Fri, 7 Sep 2007 10:04:53 -0400 (EDT)

Alex,

Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user?  If not,
how will the browser know which client certificate to send to 
the website during client-auth?  And what happens to the users
who do not have have client-certs issued by this CA when they
attempt to connect to the site?

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Alexander Klink" <a.klink@xxxxxxxxx>

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
  - From: Erik Tews

References:
- Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
  - From: Alexander Klink

Prev by Date: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Next by Date: Re: [Full-disclosure] Fake claim by Vaibhav Pandey regarding Googleacknowledging a vulnerability
Previous by thread: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Next by thread: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Index(es):
- Date
- Thread