| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070908.c0d392a707e5879438d144651cc98018@cynops.de>
Date: Sat, 8 Sep 2007 00:04:11 +0200
From: Alexander Klink <a.klink@...ops.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox 2.0.x: tracking unsuspecting users
using TLS client certificates
Hi Peter,
On Fri, Sep 07, 2007 at 08:10:23PM +0200, Alexander Klink wrote:
> > While I can see the same use here, it seems you are saying anyone could
> > have a look at certificates on your system, while cookies generally are
> > limited to viewing by the issuing domain. What I don't understand is if
> > there is a simple of knowing what certificate to ask for? For this to be
> No, you can't really 'ask' for a certificate - the user chooses it
> (or, in this case, the browser does so automatically).
Hmmm, I stand corrected (from Erik, who else? ;-). TLS actually allows
the server to ask for a specific type and/or CA.
Best regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@...ops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists