Alexander Klink wrote: > Here is how it works: > - Because Firefox's standard configuration is to automatically choose a > TLS client certificate to be sent out, the certificate including > the personal data will now be sent out to any website that requests it. > Contrary to a typical cookie, this includes websites that are on a > completely different domain. The user will not notice this at all. > Personally I'd prefer to have the default settings for "When a website requires a certificate" to be "Ask me every time". Specially if one has various certificates from the same CA, the clueless user logs in always with the first certificate on the list. Not really something one might expect.
However information stated in certificates signed by CAs isn't usually "private" and depending on the CA policy even published via directories and other different channels, so I'm not sure if this could be an invasion of privacy. Also tracking visitors can be done in different ways and doesn't have to be with cookies - again I'm not sure what's the difference. IChanging the default selection for certificate authentication could solve the problem you stated in any case. Perhaps file a bug for this? > > What other browsers do: > - Firefox 1.5: Does not allow you to install a client certificate that > is from a CA which you don't trust. I still believe this was a decent > default setting. > Are you sure there was a change? I don't remember this to be the case of pre-2.0 Firefox either. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
