It occurs to me that this could be used to good effect to track someone using Tor across various domains you control. Most Tor users know to kill JS, Flash, and are more than normally paranoid about cookies, but may not think twice about accepting a client certificate. I'm CC'ing the Tor mailing list to see what they think...
<br><br>Can anyone see if this works through Privoxy and the other things in the standard Tor bundle?<br><br>-Brendan<br><br><div><span class="gmail_quote">On 9/7/07, <b class="gmail_sendername">Eddy Nigg (StartCom Ltd.)</b>
<<a href="mailto:eddy_nigg@startcom.org">eddy_nigg@startcom.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Hi Alexander,<br>
<br>
Alexander Klink wrote:
<blockquote type="cite"><span class="q">
<pre>Granted, if this is a "real" CA. But if you use it like in my PoC not<br>for the typical CA scenario, but for user tracking, you could put all<br>kinds of data in the certificate.<br> </pre></span>
</blockquote>
That's right. Still I believe that the generation of a private key and
issuance of the certificate is pretty "noisy". However I agree, some
explanation would be better. Obviously on a CA, this process is
explained at the web site, but as in your scenario, the user isn't
supposed to know a lot about it....There is something to your claim....
<blockquote type="cite"><span class="q">
<pre>Tracking visitors in an unnoticed way over several domains is typically<br>not as easy as this, I believe.<br> </pre></span>
</blockquote>
Well ,well... ;-)
<blockquote type="cite"><span class="q">
<pre>I've actually tested that again and it also works in Firefox 1.5 - and<br>even "better" there, because the certificate installation does not show<br>any dialog at all. </pre></span>
</blockquote>
Right! In 1.5 no "Installation Message" appears, which in 2.0 has been
corrected. I suggest to file a bug with the request to change the
default settings for handling certificate authentication. Please send
the bug number, so we can vote for it...<span class="q"><br>
<br>
<div>-- <br>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, <a href="http://www.startcom.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">StartCom Ltd.</a></td>
</tr>
<tr>
<td>Jabber: </td>
<td><a>startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">Join the Revolution!</a></td>
</tr>
<tr>
<td>Phone: </td>
<td>+1.213.341.0390</td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
</span></div>
<br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://secunia.com/" target="_blank">http://secunia.com/</a><br>
</blockquote></div><br>