Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

To: "Eddy Nigg (StartCom Ltd.)" <eddy_nigg@xxxxxxxxxxxx>

Subject: Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

From: "Brendan Dolan-Gavitt" <mooyix@xxxxxxxxx>

Date: Fri, 7 Sep 2007 13:22:34 -0400

Cc: "Alexander Klink" <a.klink@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, dev-security@xxxxxxxxxxxxxxxxx, dev-tech-crypto@xxxxxxxxxxxxxxxxx, or-talk@xxxxxxxxxxxxx

Delivered-to: archiver@xxxxxxxx

Delivered-to: or-talk-outgoing@xxxxxxxx

Delivered-to: or-talk@xxxxxxxx

Delivery-date: Fri, 07 Sep 2007 13:22:43 -0400

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=6Dj088DBQUmTdkHMid8VXuH02l7jeVKlbYupDuva8Cc=; b=bu3pU82PTu9JpUV/h71p0JSoFBOANRWSy8WmmbbtfVTk1AtfZ0qet8JDXhqnpqCyPB0fCaEAB9wn3vwXj5ASeFcWO/WSIX/e9t6S5BHF20GOGe6GiPXXi6YZoJCGuzg7Jh45Viw3hdt92kg90F0W1sO8e3f/Z4+sIC9Jul7aW7Q=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=RUdUEJix5+HOvpvjQC8UHYNW6A+mDUJNbWd9sn9fHSdroeoaWivOhAzSmAM+2umsiJ2reOTjdswGzSwMQbC1ruaXVK2kMNom6+wnCqgVL3qLEUwB2cfIrm/Fp4EZOsNKv69CrS+FJvER1FZPfd5KIm0lfNpAw52K83Ryz4CQ8lE=

In-reply-to: <46E1830D.4090602@xxxxxxxxxxxx>

References: <20070907.ce9a944b0ad262ed5b5f8b8bee21485f@xxxxxxxxx> <46E15993.7040406@xxxxxxxxxxxx> <20070907.ba13aeb8cf418c65d7d415cfd7783a78@xxxxxxxxx> <46E1830D.4090602@xxxxxxxxxxxx>

Reply-to: or-talk@xxxxxxxxxxxxx

Sender: owner-or-talk@xxxxxxxxxxxxx

On 9/7/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg@xxxxxxxxxxxx> wrote:

Hi Alexander,

Alexander Klink wrote:
Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.
That's right. Still I believe that the generation of a private key and issuance of the certificate is pretty "noisy". However I agree, some explanation would be better. Obviously on a CA, this process is explained at the web site, but as in your scenario, the user isn't supposed to know a lot about it....There is something to your claim....
Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.
Well ,well... ;-)
I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all.
Right! In 1.5 no "Installation Message" appears, which in 2.0 has been corrected. I suggest to file a bug with the request to change the default settings for handling certificate authentication. Please send the bug number, so we can vote for it...

--

Regards

Signer: Eddy Nigg, StartCom Ltd.

Jabber: startcom@xxxxxxxxxxxx

Blog: Join the Revolution!

Phone: +1.213.341.0390
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Regards

Signer:	Eddy Nigg, StartCom Ltd.
Jabber:	startcom@xxxxxxxxxxxx
Blog:	Join the Revolution!
Phone:	+1.213.341.0390