[Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates
Alexander Klink
a.klink at cynops.de
Fri Sep 7 19:10:23 BST 2007
Hi Peter,
On Fri, Sep 07, 2007 at 07:31:59AM -1000, Peter Besenbruch wrote:
> Alexander Klink wrote:
> > ... I realised that you can do something with Firefox 2.0.x that
> > you could not do with Firefox 1.5.x: track an unsuspecting user
> > using TLS client certificates.
Actually, this summary is no longer true, works even better in 1.5 ;-)
> While I can see the same use here, it seems you are saying anyone could
> have a look at certificates on your system, while cookies generally are
> limited to viewing by the issuing domain. What I don't understand is if
> there is a simple of knowing what certificate to ask for? For this to be
No, you can't really 'ask' for a certificate - the user chooses it
(or, in this case, the browser does so automatically).
> to issue a "give me all your stored certificates" command? The follow-on
> link to Apache's cert-export page can't seem to do that. I made two
> certs and the cert-export page grabbed that last one.
Correct, this is Firefox's way of automatically choosing one. I'd
suspect most users don't have any TLS client certificates though.
> Oh well, time to change Firefox's default certificate handling.
I agree: https://bugzilla.mozilla.org/show_bug.cgi?id=395399
Best regards,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink at cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch
Full-Disclosure is hosted and sponsored by Secunia.