lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070907.ba13aeb8cf418c65d7d415cfd7783a78@cynops.de>
Date: Fri, 7 Sep 2007 18:34:00 +0200
From: Alexander Klink <a.klink@...ops.de>
To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
Cc: full-disclosure@...ts.grok.org.uk, dev-security@...ts.mozilla.org,
	dev-tech-crypto@...ts.mozilla.org
Subject: Re: Firefox 2.0.x: tracking unsuspecting users
	using TLS client	certificates

On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> However information stated in certificates signed by CAs isn't usually 
> "private" and depending on the CA policy even published via directories 
> and other different channels, so I'm not sure if this could be an 
> invasion of privacy. Also tracking visitors can be done in different 
Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.

> ways and doesn't have to be with cookies - again I'm not sure what's the 
> difference. 
Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

> Changing the default selection for certificate 
> authentication could solve the problem you stated in any case.
Correct.

> > What other browsers do:
> > - Firefox 1.5: Does not allow you to install a client certificate that
> >   is from a CA which you don't trust. I still believe this was a decent
> >   default setting.
> >   
> Are you sure there was a change? I don't remember this to be the case of 
> pre-2.0 Firefox either.
I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all. This reduces the visibility to a short key generation
pop up! No idea why I thought it did not work in 1.5, though.

Best regards,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@...ops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ