[Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

[Arshad Noor]

Alex,

Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user?  If not,
how will the browser know which client certificate to send to 
the website during client-auth?  And what happens to the users
who do not have have client-certs issued by this CA when they
attempt to connect to the site?

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Alexander Klink" <a.klink at cynops.de>

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.