> ... I realised that you can do something with Firefox 2.0.x that
> you could not do with Firefox 1.5.x: track an unsuspecting user
> using TLS client certificates.
this is not new. in a way it has been in the apache
documentation for years. it simple, and it's very bad:
a) firefox does not ask
Brendan Dolan-Gavitt wrote:
> Can anyone see if this works through Privoxy and the other things in the
> standard Tor bundle?
It works with Tor with, and without Privoxy.
--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
__
Am Freitag, den 07.09.2007, 10:04 -0400 schrieb Arshad Noor:
> Alex,
>
> Do you presume that the websites in the domains that you intend
> to track users will install the self-signed CA certificate that
> issued the client-certificate to the unsuspecting user? If not,
> how will the browser know
It occurs to me that this could be used to good effect to track someone
using Tor across various domains you control. Most Tor users know to kill
JS, Flash, and are more than normally paranoid about cookies, but may not
think twice about accepting a client certificate. I'm CC'ing the Tor mailing
li
Arshad Noor wrote:
> They would know the CA that issued the particular client certificate and
> include it in it's Request/Not require client auth message.
>
Actually funny that I never thought myself about such an option. But a
competing CA could harvest the email addresses, which are usually
]>
Cc: [EMAIL PROTECTED], dev-tech-crypto@lists.mozilla.org
Sent: Friday, September 7, 2007 4:24:15 PM (GMT-0800) America/Los_Angeles
Subject: Re: Firefox 2.0.x: tracking unsuspecting users using TLS client
certificates
Arshad Noor wrote:
> See below, Alex.
>
> Arshad Noor
>
Arshad Noor wrote:
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
Arshad Noor wrote:
>
> My understanding of the TLS protocol is that the browser only sends
> the certificates signed by CAs that the server trusts; are you saying
> that the protocol allows for asking ANY certificate from the browser
> cert-store, regardless of who signed it?
>
Yes, one
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
My understanding
[Cc's restricted to the mozilla lists]
Hi Eddy,
On Fri, Sep 07, 2007 at 07:57:49PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> >Granted, if this is a "real" CA. But if you use it like in my PoC not
> >for the typical CA scenario, but for user tracking, you could put all
> >kinds of data in the cert
[restricted the Cc's to the mozilla lists]
Arshad,
On Fri, Sep 07, 2007 at 10:04:53AM -0400, Arshad Noor wrote:
> Do you presume that the websites in the domains that you intend
> to track users will install the self-signed CA certificate that
> issued the client-certificate to the unsuspecting u
Alex,
Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user? If not,
how will the browser know which client certificate to send to
the website during client-auth? And
Hi Alexander,
Alexander Klink wrote:
> Granted, if this is a "real" CA. But if you use it like in my PoC not
> for the typical CA scenario, but for user tracking, you could put all
> kinds of data in the certificate.
>
That's right. Still I believe that the generation of a private key and
issu
On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> However information stated in certificates signed by CAs isn't usually
> "private" and depending on the CA policy even published via directories
> and other different channels, so I'm not sure if this could be an
> inva
Alexander Klink wrote:
> Here is how it works:
> - Because Firefox's standard configuration is to automatically choose a
> TLS client certificate to be sent out, the certificate including
> the personal data will now be sent out to any website that requests it.
> Contrary to a typical cookie,
While building the new OpenXPKI Live CD ...
if you are looking for an (open source) enterprise-grade
PKI system, consider OpenXPKI. You can now test development snapshots using
our new Morphix-based live CD.
... I realised that you can do something with Firefox 2.0.x that
you could not do with Fi
16 matches
Mail list logo
