gmane.comp.security.full-disclosure

Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

While building the new OpenXPKI Live CD ...

<shameless_plug>if you are looking for an (open source) enterprise-grade
PKI system, consider OpenXPKI. You can now test development snapshots using
our new Morphix-based live CD.</shameless_plug>

... I realised that you can do something with Firefox 2.0.x that
you could not do with Firefox 1.5.x: track an unsuspecting user
using TLS client certificates.

Here is how it works:
- The user visits a websites and leaves behind some personal data
  (for example on a registration form).
- The website uses SPKAC using the <keygen> tag to create a private
  key for the user. This will pop up a dialog that says:
  "Key generation in progress ... This may take a few minutes ...
  Please wait ..."
  With a 1024 bit key on a modern machines, this only takes a few
  seconds, so it is barely noticable to the user.
- Using the SPKAC data, the website creates a TLS client certificate
  for the user (which may contain just a unique identifier for the user
  and/or the personal data entered) and sends it to the user using the
  "application/x-x509-user-cert" MIME-type. Firefox will automatically
  install the certificate and pop up a dialog that says:
  "Your personal certificate has been installed. You should keep a
  backup copy of this certificate."
  This dialog may need some social engineering from the website to
  keep the user unsuspecting. But who has actually heard of a
  "personal certificate" except for the more technical users? One
  could even explain to the user what it really is without the user

(Continue reading)

headers

Eddy Nigg (StartCom Ltd. | 7 Sep 16:00

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Alexander Klink wrote:
> Here is how it works:
> - Because Firefox's standard configuration is to automatically choose a
>   TLS client certificate to be sent out, the certificate including
>   the personal data will now be sent out to any website that requests it.
>   Contrary to a typical cookie, this includes websites that are on a
>   completely different domain. The user will not notice this at all.
>   
Personally I'd prefer to have the default settings for "When a website 
requires a certificate" to be "Ask me every time". Specially if one has 
various certificates from the same CA, the clueless user logs in always 
with the first certificate on the list. Not really something one might 
expect.

However information stated in certificates signed by CAs isn't usually 
"private" and depending on the CA policy even published via directories 
and other different channels, so I'm not sure if this could be an 
invasion of privacy. Also tracking visitors can be done in different 
ways and doesn't have to be with cookies - again I'm not sure what's the 
difference. IChanging the default selection for certificate 
authentication could solve the problem you stated in any case. Perhaps 
file a bug for this?

>
> What other browsers do:
> - Firefox 1.5: Does not allow you to install a client certificate that
>   is from a CA which you don't trust. I still believe this was a decent
>   default setting.
>   
Are you sure there was a change? I don't remember this to be the case of

(Continue reading)

headers

Alexander Klink | 7 Sep 18:34

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> However information stated in certificates signed by CAs isn't usually 
> "private" and depending on the CA policy even published via directories 
> and other different channels, so I'm not sure if this could be an 
> invasion of privacy. Also tracking visitors can be done in different 
Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.

> ways and doesn't have to be with cookies - again I'm not sure what's the 
> difference. 
Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

> Changing the default selection for certificate 
> authentication could solve the problem you stated in any case.
Correct.

> > What other browsers do:
> > - Firefox 1.5: Does not allow you to install a client certificate that
> >   is from a CA which you don't trust. I still believe this was a decent
> >   default setting.
> >   
> Are you sure there was a change? I don't remember this to be the case of 
> pre-2.0 Firefox either.
I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all. This reduces the visibility to a short key generation
pop up! No idea why I thought it did not work in 1.5, though.

(Continue reading)

headers

Eddy Nigg (StartCom Ltd. | 7 Sep 18:57

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Hi Alexander,

Alexander Klink wrote:
> Granted, if this is a "real" CA. But if you use it like in my PoC not
> for the typical CA scenario, but for user tracking, you could put all
> kinds of data in the certificate.
>   
That's right. Still I believe that the generation of a private key and 
issuance of the certificate is pretty "noisy". However I agree, some 
explanation would be better. Obviously on a CA, this process is 
explained at the web site, but as in your scenario, the user isn't 
supposed to know a lot about it....There is something to your claim....
> Tracking visitors in an unnoticed way over several domains is typically
> not as easy as this, I believe.
>   
Well ,well... 
> I've actually tested that again and it also works in Firefox 1.5 - and
> even "better" there, because the certificate installation does not show
> any dialog at all. 
Right! In 1.5 no "Installation Message" appears, which in 2.0 has been 
corrected. I suggest to file a bug with the request to change the 
default settings for handling certificate authentication. Please send 
the bug number, so we can vote for it...

--

-- 
Regards 

Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom <at> startcom.org <xmpp:startcom <at> startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>

(Continue reading)

headers

Brendan Dolan-Gavitt | 7 Sep 19:22

Re: [Full-disclosure] Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

It occurs to me that this could be used to good effect to track someone using Tor across various domains you control. Most Tor users know to kill JS, Flash, and are more than normally paranoid about cookies, but may not think twice about accepting a client certificate. I'm CC'ing the Tor mailing list to see what they think...

Can anyone see if this works through Privoxy and the other things in the standard Tor bundle?

-Brendan

On 9/7/07, Eddy Nigg (StartCom Ltd.) <eddy_nigg <at> startcom.org> wrote:

Hi Alexander,

Alexander Klink wrote:
Granted, if this is a "real" CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the certificate.

That's right. Still I believe that the generation of a private key and issuance of the certificate is pretty "noisy". However I agree, some explanation would be better. Obviously on a CA, this process is explained at the web site, but as in your scenario, the user isn't supposed to know a lot about it....There is something to your claim....
Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

Well ,well...
I've actually tested that again and it also works in Firefox 1.5 - and
even "better" there, because the certificate installation does not show
any dialog at all.
Right! In 1.5 no "Installation Message" appears, which in 2.0 has been corrected. I suggest to file a bug with the request to change the default settings for handling certificate authentication. Please send the bug number, so we can vote for it...

--

Regards

Signer: Eddy Nigg, StartCom Ltd.

Jabber: startcom <at> startcom.org

Blog: Join the Revolution!

Phone: +1.213.341.0390

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

Peter Besenbruch | 7 Sep 19:41

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Brendan Dolan-Gavitt wrote:
> Can anyone see if this works through Privoxy and the other things in the
> standard Tor bundle?

It works with Tor with, and without Privoxy.

--

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

Alexander Klink | 7 Sep 19:28

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

[Cc's restricted to the mozilla lists]

Hi Eddy,

On Fri, Sep 07, 2007 at 07:57:49PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
> >Granted, if this is a "real" CA. But if you use it like in my PoC not
> >for the typical CA scenario, but for user tracking, you could put all
> >kinds of data in the certificate.
> >  
> That's right. Still I believe that the generation of a private key and 
> issuance of the certificate is pretty "noisy". However I agree, some 
Not on 1.5, the generation of the private key is a popup that is
closed faster than you can realize what it said if your machine is
fast enough and installation is completely "noiseless".

> >I've actually tested that again and it also works in Firefox 1.5 - and
> >even "better" there, because the certificate installation does not show
> >any dialog at all. 
> Right! In 1.5 no "Installation Message" appears, which in 2.0 has been 
> corrected. I suggest to file a bug with the request to change the 
> default settings for handling certificate authentication. Please send 
> the bug number, so we can vote for it...
Just did that, it's 395399.

Best regards,
  Alex
--

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink <at> cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

headers

Arshad Noor | 7 Sep 16:04

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Alex,

Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user?  If not,
how will the browser know which client certificate to send to 
the website during client-auth?  And what happens to the users
who do not have have client-certs issued by this CA when they
attempt to connect to the site?

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Alexander Klink" <a.klink <at> cynops.de>

Tracking visitors in an unnoticed way over several domains is typically
not as easy as this, I believe.

headers

Alexander Klink | 7 Sep 19:12

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

[restricted the Cc's to the mozilla lists]

Arshad,

On Fri, Sep 07, 2007 at 10:04:53AM -0400, Arshad Noor wrote:
> Do you presume that the websites in the domains that you intend
> to track users will install the self-signed CA certificate that
> issued the client-certificate to the unsuspecting user?  If not,
> how will the browser know which client certificate to send to 
> the website during client-auth? 
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.

> And what happens to the users
> who do not have have client-certs issued by this CA when they
> attempt to connect to the site?
Nothing, you can keep it configured as optional on the webserver.

Best regards,
  Alex
--

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink <at> cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

headers

Arshad Noor | 7 Sep 17:32

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

See below, Alex.

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Alexander Klink" <a.klink <at> cynops.de>

The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.

  My understanding of the TLS protocol is that the browser only sends
  the certificates signed by CAs that the server trusts; are you saying
  that the protocol allows for asking ANY certificate from the browser
  cert-store, regardless of who signed it?

> And what happens to the users
> who do not have have client-certs issued by this CA when they
> attempt to connect to the site?

Nothing, you can keep it configured as optional on the webserver.

  If so, how does the website track the client?  Wouldn't client-auth
  need to be on for the tracking to work?

headers

Eddy Nigg (StartCom Ltd. | 7 Sep 22:00

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Arshad Noor wrote:
>
>   My understanding of the TLS protocol is that the browser only sends
>   the certificates signed by CAs that the server trusts; are you saying
>   that the protocol allows for asking ANY certificate from the browser
>   cert-store, regardless of who signed it?
>   
Yes, one can configure a web server to accept ANY certificate for client 
auth.

--

-- 
Regards 

Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom <at> startcom.org <xmpp:startcom <at> startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390

headers

Robert Relyea | 8 Sep 01:24

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Arshad Noor wrote:
> See below, Alex.
>
> Arshad Noor
> StrongAuth, Inc.
>
> ----- Original Message -----
> From: "Alexander Klink" <a.klink <at> cynops.de>
>
> The typical user does not have a client authentication certificate,
> so after installing one for him, the browser will send that out
> to anyone who is asking.
>
>   My understanding of the TLS protocol is that the browser only sends
>   the certificates signed by CAs that the server trusts; are you saying
>   that the protocol allows for asking ANY certificate from the browser
>   cert-store, regardless of who signed it?
>   
That's true of Firefox, not true of other browsers. Older versions only 
sent out certificates if those certificates match a cert on the server's 
CA list.  Newer versions can include other certs (IIRC), but only if you 
have ask always on, in which case you will get a certificate prompt.

Of course this doesn't change what Alexander describes. Servers 
participating in this data collection scheme are cooperating servers. 
They would know the CA that issued the particular client certificate and 
include it in it's Request/Not require client auth message.
>   
>> And what happens to the users
>> who do not have have client-certs issued by this CA when they
>> attempt to connect to the site?
>>     
>
> Nothing, you can keep it configured as optional on the webserver.
>
>   If so, how does the website track the client?  Wouldn't client-auth
>   need to be on for the tracking to work?
>   
The server send 'request/not require' certs. Most modern client auth 
servers use this anyway. It allows you to tell the user why he didn't 
really get connected instead of just having a dropped connection. The 
SSL connection completes, and the server sees that no client cert was 
used, so it can restrict access to what it shows (in the normal case).

It's also essential for web sites that use smart card tokens. You can 
tell the user 'please insert your token'. With FF 1.5 and later you can 
use smart card insertion/removal events to cause the page to refresh and 
have automatic login/logout based on your token using this feature.
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto <at> lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

Attachment (smime.p7s): application/x-pkcs7-signature, 3420 bytes

_______________________________________________
dev-security mailing list
dev-security <at> lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

headers

Arshad Noor | 7 Sep 22:51

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Thanks for the deeper explanation, Bob. 

I continue to get a little more educated each day - I am grateful to 
all for that. 

Arshad Noor
StrongAuth, Inc.

----- Original Message -----
From: "Robert Relyea" <rrelyea <at> redhat.com>
To: "Arshad Noor" <arshad.noor <at> strongauth.com>
Cc: dev-security <at> lists.mozilla.org, dev-tech-crypto <at> lists.mozilla.org
Sent: Friday, September 7, 2007 4:24:15 PM (GMT-0800) America/Los_Angeles
Subject: Re: Firefox 2.0.x: tracking unsuspecting users using TLS client	certificates

Arshad Noor wrote:
> See below, Alex.
>
> Arshad Noor
> StrongAuth, Inc.
>
> ----- Original Message -----
> From: "Alexander Klink" <a.klink <at> cynops.de>
>
> The typical user does not have a client authentication certificate,
> so after installing one for him, the browser will send that out
> to anyone who is asking.
>
>   My understanding of the TLS protocol is that the browser only sends
>   the certificates signed by CAs that the server trusts; are you saying
>   that the protocol allows for asking ANY certificate from the browser
>   cert-store, regardless of who signed it?
>   
That's true of Firefox, not true of other browsers. Older versions only 
sent out certificates if those certificates match a cert on the server's 
CA list.  Newer versions can include other certs (IIRC), but only if you 
have ask always on, in which case you will get a certificate prompt.

Of course this doesn't change what Alexander describes. Servers 
participating in this data collection scheme are cooperating servers. 
They would know the CA that issued the particular client certificate and 
include it in it's Request/Not require client auth message.
>   
>> And what happens to the users
>> who do not have have client-certs issued by this CA when they
>> attempt to connect to the site?
>>     
>
> Nothing, you can keep it configured as optional on the webserver.
>
>   If so, how does the website track the client?  Wouldn't client-auth
>   need to be on for the tracking to work?
>   
The server send 'request/not require' certs. Most modern client auth 
servers use this anyway. It allows you to tell the user why he didn't 
really get connected instead of just having a dropped connection. The 
SSL connection completes, and the server sees that no client cert was 
used, so it can restrict access to what it shows (in the normal case).

It's also essential for web sites that use smart card tokens. You can 
tell the user 'please insert your token'. With FF 1.5 and later you can 
use smart card insertion/removal events to cause the page to refresh and 
have automatic login/logout based on your token using this feature.
>
> _______________________________________________
> dev-tech-crypto mailing list
> dev-tech-crypto <at> lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>

headers

Eddy Nigg (StartCom Ltd. | 8 Sep 03:03

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Arshad Noor wrote:
> They would know the CA that issued the particular client certificate and 
> include it in it's Request/Not require client auth message.
>   
Actually funny that I never thought myself about such an option. But a 
competing CA could harvest the email addresses, which are usually 
present in client certs, of the competition and spam them for their 
services...good thought 

--

-- 
Regards 

Signer:  	Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:  	startcom <at> startcom.org <xmpp:startcom <at> startcom.org>
Blog:  	Join the Revolution! <http://blog.startcom.org>
Phone:  	+1.213.341.0390

headers

Erik Tews | 7 Sep 20:45

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Am Freitag, den 07.09.2007, 10:04 -0400 schrieb Arshad Noor:
> Alex,
> 
> Do you presume that the websites in the domains that you intend
> to track users will install the self-signed CA certificate that
> issued the client-certificate to the unsuspecting user?  If not,
> how will the browser know which client certificate to send to 
> the website during client-auth?  And what happens to the users

In TLS, the Server can for example request that the Cert was issued by a
certain CA, to select from multiple installed certificates.

> who do not have have client-certs issued by this CA when they
> attempt to connect to the site?

From RFC4346: If no suitable certificate is available, the client SHOULD
send a certificate message containing no certificates.  That is, the
certificate_list structure has a length of zero.  If client
authentication is required by the server for the handshake to continue,
it may respond with a fatal handshake failure alert.

So the connection can still be continued.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

Peter Besenbruch | 7 Sep 19:31

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

With apologies to Alexander. I keep forgetting that replying to full 
disclosure messages sends an e-mail to him, and not the list. Here is my 
reply to the list:

Alexander Klink wrote:
 > ... I realised that you can do something with Firefox 2.0.x that
 > you could not do with Firefox 1.5.x: track an unsuspecting user
 > using TLS client certificates.

...

 > Proof of Concept:
 > - http://0x90.eu/ff_tls_poc.html

So, one can use certificates as a kind of super-cookie. You mention in a 
follow-up message that all kinds of information can be stored in a 
certificate. With cookies, a third party advertiser can place a cookie 
and track you across sites, building up a profile of your interests.

While I can see the same use here, it seems you are saying anyone could 
have a look at certificates on your system, while cookies generally are 
limited to viewing by the issuing domain. What I don't understand is if 
there is a simple of knowing what certificate to ask for? For this to be 
useful, that would be pretty important. Another question, is it possible 
to issue a "give me all your stored certificates" command? The follow-on 
link to Apache's cert-export page can't seem to do that. I made two 
certs and the cert-export page grabbed that last one.

Oh well, time to change Firefox's default certificate handling.
--

-- 
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

Alexander Klink | 7 Sep 20:10

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Hi Peter,

On Fri, Sep 07, 2007 at 07:31:59AM -1000, Peter Besenbruch wrote:
> Alexander Klink wrote:
>  > ... I realised that you can do something with Firefox 2.0.x that
>  > you could not do with Firefox 1.5.x: track an unsuspecting user
>  > using TLS client certificates.
Actually, this summary is no longer true, works even better in 1.5 

> While I can see the same use here, it seems you are saying anyone could 
> have a look at certificates on your system, while cookies generally are 
> limited to viewing by the issuing domain. What I don't understand is if 
> there is a simple of knowing what certificate to ask for? For this to be 
No, you can't really 'ask' for a certificate - the user chooses it 
(or, in this case, the browser does so automatically).

> to issue a "give me all your stored certificates" command? The follow-on 
> link to Apache's cert-export page can't seem to do that. I made two 
> certs and the cert-export page grabbed that last one.
Correct, this is Firefox's way of automatically choosing one. I'd
suspect most users don't have any TLS client certificates though.

> Oh well, time to change Firefox's default certificate handling.
I agree: https://bugzilla.mozilla.org/show_bug.cgi?id=395399

Best regards,
  Alex
--

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink <at> cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

Alexander Klink | 8 Sep 00:04

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

Hi Peter,

On Fri, Sep 07, 2007 at 08:10:23PM +0200, Alexander Klink wrote:
> > While I can see the same use here, it seems you are saying anyone could 
> > have a look at certificates on your system, while cookies generally are 
> > limited to viewing by the issuing domain. What I don't understand is if 
> > there is a simple of knowing what certificate to ask for? For this to be 
> No, you can't really 'ask' for a certificate - the user chooses it 
> (or, in this case, the browser does so automatically).
Hmmm, I stand corrected (from Erik, who else? . TLS actually allows
the server to ask for a specific type and/or CA.

Best regards,
  Alex
--

-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink <at> cynops.de
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

headers

niclas | 10 Sep 03:32

Re: Firefox 2.0.x: tracking unsuspecting users using TLS client certificates

> ... I realised that you can do something with Firefox 2.0.x that
> you could not do with Firefox 1.5.x: track an unsuspecting user
> using TLS client certificates.

this is not new. in a way it has been in the apache
documentation for years. it simple, and it's very bad:

a) firefox does not ask the user which certificate to deliver if not set
up to do so.

b) firefox does not offer a checkbox to remember the choice the user
made. the irritating dialogue will appear up to two times for each
webpage and not stay activated for long.

(konqueror in comparison does remember the user's choice for each
domain/site. k. doesn't send out certficates without being told to.)

c) in the apache documentation you can read about a simple setupwhich
asks for and accepts ANY certificate that the browser delivers - which
leaves the choice to the browser and makes it deliver one _silently_ if
present.

(IIRC the choice is usually made by comparing certain fields in the
certificate, e.g. company, common name etc. the certficate that matches
best will be sent.
though the server certificate's CN must be * or match the domain to be
accepted, FF does not require any information from the client
certificate to match the domain it is sent to.)

you want to make use of that? very simple:

1) all information from the client certificate can of course be read by
the server, e.g. in a CGI.

2) though you could achieve this easily (contrary to statements on the
list my FF never required client certificates to be signed by a known
CA - why should it?), you do not have to make users actually install a
certificate. would be too obvoius anyway, and...

...users who are part of a company network or any other organization
which uses certificate authentication will already have one.

they are very concerned about security, so they are probably more
interesting targets anyway.

3) for tracking purposes just remember the fingerprint of ANY delivered
client certificate. combine it with any other information information
you get from the now perfectly identified client, like IP-address,
information filled into forms, etc.

4a) simple tracking of a certficate holder might be nice for secret
services and adserver owners, but as companies like to have their own CA
or at least write the company name into the certificates, competitors
can see easily who's clicking.

4b) if you are a spammer the valid e-mail-address stored in the
certificate might be of some value.

4c) the "common name" field is great information for phishers and all
kinds of evildoers who are now empowered to create individualized mails
with this information.

n.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Regards

Signer:	Eddy Nigg, StartCom Ltd.
Jabber:	startcom <at> startcom.org
Blog:	Join the Revolution!
Phone:	+1.213.341.0390