[Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Fri Sep 7 15:00:51 BST 2007
Alexander Klink wrote:
> Here is how it works:
> - Because Firefox's standard configuration is to automatically choose a
> TLS client certificate to be sent out, the certificate including
> the personal data will now be sent out to any website that requests it.
> Contrary to a typical cookie, this includes websites that are on a
> completely different domain. The user will not notice this at all.
Personally I'd prefer to have the default settings for "When a website
requires a certificate" to be "Ask me every time". Specially if one has
various certificates from the same CA, the clueless user logs in always
with the first certificate on the list. Not really something one might
However information stated in certificates signed by CAs isn't usually
"private" and depending on the CA policy even published via directories
and other different channels, so I'm not sure if this could be an
invasion of privacy. Also tracking visitors can be done in different
ways and doesn't have to be with cookies - again I'm not sure what's the
difference. IChanging the default selection for certificate
authentication could solve the problem you stated in any case. Perhaps
file a bug for this?
> What other browsers do:
> - Firefox 1.5: Does not allow you to install a client certificate that
> is from a CA which you don't trust. I still believe this was a decent
> default setting.
Are you sure there was a change? I don't remember this to be the case of
pre-2.0 Firefox either.
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
-------------- next part --------------
An HTML attachment was scrubbed...
Full-Disclosure is hosted and sponsored by Secunia.