Thanks for the deeper explanation, Bob. I continue to get a little more educated each day - I am grateful to all for that. :-)
Arshad Noor StrongAuth, Inc. ----- Original Message ----- From: "Robert Relyea" <[EMAIL PROTECTED]> To: "Arshad Noor" <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], dev-tech-crypto@lists.mozilla.org Sent: Friday, September 7, 2007 4:24:15 PM (GMT-0800) America/Los_Angeles Subject: Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates Arshad Noor wrote: > See below, Alex. > > Arshad Noor > StrongAuth, Inc. > > ----- Original Message ----- > From: "Alexander Klink" <[EMAIL PROTECTED]> > > The typical user does not have a client authentication certificate, > so after installing one for him, the browser will send that out > to anyone who is asking. > > My understanding of the TLS protocol is that the browser only sends > the certificates signed by CAs that the server trusts; are you saying > that the protocol allows for asking ANY certificate from the browser > cert-store, regardless of who signed it? > That's true of Firefox, not true of other browsers. Older versions only sent out certificates if those certificates match a cert on the server's CA list. Newer versions can include other certs (IIRC), but only if you have ask always on, in which case you will get a certificate prompt. Of course this doesn't change what Alexander describes. Servers participating in this data collection scheme are cooperating servers. They would know the CA that issued the particular client certificate and include it in it's Request/Not require client auth message. > >> And what happens to the users >> who do not have have client-certs issued by this CA when they >> attempt to connect to the site? >> > > Nothing, you can keep it configured as optional on the webserver. > > If so, how does the website track the client? Wouldn't client-auth > need to be on for the tracking to work? > The server send 'request/not require' certs. Most modern client auth servers use this anyway. It allows you to tell the user why he didn't really get connected instead of just having a dropped connection. The SSL connection completes, and the server sees that no client cert was used, so it can restrict access to what it shows (in the normal case). It's also essential for web sites that use smart card tokens. You can tell the user 'please insert your token'. With FF 1.5 and later you can use smart card insertion/removal events to cause the page to refresh and have automatic login/logout based on your token using this feature. > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
