> ... I realised that you can do something with Firefox 2.0.x that > you could not do with Firefox 1.5.x: track an unsuspecting user > using TLS client certificates.
this is not new. in a way it has been in the apache documentation for years. it simple, and it's very bad: a) firefox does not ask the user which certificate to deliver if not set up to do so. b) firefox does not offer a checkbox to remember the choice the user made. the irritating dialogue will appear up to two times for each webpage and not stay activated for long. (konqueror in comparison does remember the user's choice for each domain/site. k. doesn't send out certficates without being told to.) c) in the apache documentation you can read about a simple setupwhich asks for and accepts ANY certificate that the browser delivers - which leaves the choice to the browser and makes it deliver one _silently_ if present. (IIRC the choice is usually made by comparing certain fields in the certificate, e.g. company, common name etc. the certficate that matches best will be sent. though the server certificate's CN must be * or match the domain to be accepted, FF does not require any information from the client certificate to match the domain it is sent to.) you want to make use of that? very simple: 1) all information from the client certificate can of course be read by the server, e.g. in a CGI. 2) though you could achieve this easily (contrary to statements on the list my FF never required client certificates to be signed by a known CA - why should it?), you do not have to make users actually install a certificate. would be too obvoius anyway, and... ...users who are part of a company network or any other organization which uses certificate authentication will already have one. they are very concerned about security, so they are probably more interesting targets anyway. 3) for tracking purposes just remember the fingerprint of ANY delivered client certificate. combine it with any other information information you get from the now perfectly identified client, like IP-address, information filled into forms, etc. 4a) simple tracking of a certficate holder might be nice for secret services and adserver owners, but as companies like to have their own CA or at least write the company name into the certificates, competitors can see easily who's clicking. 4b) if you are a spammer the valid e-mail-address stored in the certificate might be of some value. 4c) the "common name" field is great information for phishers and all kinds of evildoers who are now empowered to create individualized mails with this information. n. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
