On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote: > However information stated in certificates signed by CAs isn't usually > "private" and depending on the CA policy even published via directories > and other different channels, so I'm not sure if this could be an > invasion of privacy. Also tracking visitors can be done in different Granted, if this is a "real" CA. But if you use it like in my PoC not for the typical CA scenario, but for user tracking, you could put all kinds of data in the certificate.
> ways and doesn't have to be with cookies - again I'm not sure what's the > difference. Tracking visitors in an unnoticed way over several domains is typically not as easy as this, I believe. > Changing the default selection for certificate > authentication could solve the problem you stated in any case. Correct. > > What other browsers do: > > - Firefox 1.5: Does not allow you to install a client certificate that > > is from a CA which you don't trust. I still believe this was a decent > > default setting. > > > Are you sure there was a change? I don't remember this to be the case of > pre-2.0 Firefox either. I've actually tested that again and it also works in Firefox 1.5 - and even "better" there, because the certificate installation does not show any dialog at all. This reduces the visibility to a short key generation pop up! No idea why I thought it did not work in 1.5, though. Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | [EMAIL PROTECTED] mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
