lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20070907.be4d6368614f39bcce1b59832de5b8ab@cynops.de>
Date: Fri, 7 Sep 2007 20:10:23 +0200
From: Alexander Klink <a.klink@...ops.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox 2.0.x: tracking unsuspecting users
	using	TLS client certificates

Hi Peter,

On Fri, Sep 07, 2007 at 07:31:59AM -1000, Peter Besenbruch wrote:
> Alexander Klink wrote:
>  > ... I realised that you can do something with Firefox 2.0.x that
>  > you could not do with Firefox 1.5.x: track an unsuspecting user
>  > using TLS client certificates.
Actually, this summary is no longer true, works even better in 1.5 ;-)

> While I can see the same use here, it seems you are saying anyone could 
> have a look at certificates on your system, while cookies generally are 
> limited to viewing by the issuing domain. What I don't understand is if 
> there is a simple of knowing what certificate to ask for? For this to be 
No, you can't really 'ask' for a certificate - the user chooses it 
(or, in this case, the browser does so automatically).

> to issue a "give me all your stored certificates" command? The follow-on 
> link to Apache's cert-export page can't seem to do that. I made two 
> certs and the cert-export page grabbed that last one.
Correct, this is Firefox's way of automatically choosing one. I'd
suspect most users don't have any TLS client certificates though.

> Oh well, time to change Firefox's default certificate handling.
I agree: https://bugzilla.mozilla.org/show_bug.cgi?id=395399

Best regards,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@...ops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ