lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <589e556c0709071022n69cf6d3j963a6ba120553a81@mail.gmail.com>
Date: Fri, 7 Sep 2007 13:22:34 -0400
From: "Brendan Dolan-Gavitt" <mooyix@...il.com>
To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@...rtcom.org>
Cc: full-disclosure@...ts.grok.org.uk, dev-security@...ts.mozilla.org,
	dev-tech-crypto@...ts.mozilla.org, or-talk@...ehaven.net
Subject: Re: Firefox 2.0.x: tracking unsuspecting users
	using TLS client certificates

It occurs to me that this could be used to good effect to track someone
using Tor across various domains you control. Most Tor users know to kill
JS, Flash, and are more than normally paranoid about cookies, but may not
think twice about accepting a client certificate. I'm CC'ing the Tor mailing
list to see what they think...

Can anyone see if this works through Privoxy and the other things in the
standard Tor bundle?

-Brendan

On 9/7/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg@...rtcom.org> wrote:
>
>  Hi Alexander,
>
> Alexander Klink wrote:
>
> Granted, if this is a "real" CA. But if you use it like in my PoC not
> for the typical CA scenario, but for user tracking, you could put all
> kinds of data in the certificate.
>
>  That's right. Still I believe that the generation of a private key and
> issuance of the certificate is pretty "noisy". However I agree, some
> explanation would be better. Obviously on a CA, this process is explained at
> the web site, but as in your scenario, the user isn't supposed to know a lot
> about it....There is something to your claim....
>
> Tracking visitors in an unnoticed way over several domains is typically
> not as easy as this, I believe.
>
>  Well ,well... ;-)
>
> I've actually tested that again and it also works in Firefox 1.5 - and
> even "better" there, because the certificate installation does not show
> any dialog at all.
>
>  Right! In 1.5 no "Installation Message" appears, which in 2.0 has been
> corrected. I suggest to file a bug with the request to change the default
> settings for handling certificate authentication. Please send the bug
> number, so we can vote for it...
>
> --
>   Regards      Signer:  Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
> Jabber:  startcom@...rtcom.org  Blog:  Join the Revolution!<http://blog.startcom.org>
> Phone:  +1.213.341.0390
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ