Arshad Noor wrote:
> They would know the CA that issued the particular client certificate and
> include it in it's Request/Not require client auth message.
>
Actually funny that I never thought myself about such an option. But a
competing CA could harvest the email addresses, which are usually
]>
Cc: [EMAIL PROTECTED], dev-tech-crypto@lists.mozilla.org
Sent: Friday, September 7, 2007 4:24:15 PM (GMT-0800) America/Los_Angeles
Subject: Re: Firefox 2.0.x: tracking unsuspecting users using TLS client
certificates
Arshad Noor wrote:
> See below, Alex.
>
> Arshad Noor
>
Arshad Noor wrote:
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
Arshad Noor wrote:
>
> My understanding of the TLS protocol is that the browser only sends
> the certificates signed by CAs that the server trusts; are you saying
> that the protocol allows for asking ANY certificate from the browser
> cert-store, regardless of who signed it?
>
Yes, one
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
My understanding
[Cc's restricted to the mozilla lists]
Hi Eddy,
On Fri, Sep 07, 2007 at 07:57:49PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> >Granted, if this is a "real" CA. But if you use it like in my PoC not
> >for the typical CA scenario, but for user tracking, you could put all
> >kinds of data in the cert
[restricted the Cc's to the mozilla lists]
Arshad,
On Fri, Sep 07, 2007 at 10:04:53AM -0400, Arshad Noor wrote:
> Do you presume that the websites in the domains that you intend
> to track users will install the self-signed CA certificate that
> issued the client-certificate to the unsuspecting u
Alex,
Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user? If not,
how will the browser know which client certificate to send to
the website during client-auth? And
Hi Alexander,
Alexander Klink wrote:
> Granted, if this is a "real" CA. But if you use it like in my PoC not
> for the typical CA scenario, but for user tracking, you could put all
> kinds of data in the certificate.
>
That's right. Still I believe that the generation of a private key and
issu
On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> However information stated in certificates signed by CAs isn't usually
> "private" and depending on the CA policy even published via directories
> and other different channels, so I'm not sure if this could be an
> inva
Alexander Klink wrote:
> Here is how it works:
> - Because Firefox's standard configuration is to automatically choose a
> TLS client certificate to be sent out, the certificate including
> the personal data will now be sent out to any website that requests it.
> Contrary to a typical cookie,
11 matches
Mail list logo
