Hi Derek,
Most https servers don't have such a configuration at all. I think the
exposure is very limited. It is there and I think your definitely right
that users should informed to know and understand this.
All main-stream browsers can be setup to either ask nothing or
continuously ask for permission to unlock the vault for a moment (or
longer). On our CA's site we have a warning about this issue. It
especially warns the IE users to elevate the default security settings
up a notch when their certificate is loaded into the vault.
I don't know how Safari and Konquerer handle this by default, but last
time I checked Mozilla ask for that master password for every session.
This information should indeed be propagated to all users (and admins).
cheers,
Oscar
Derek Feichtinger wrote:
> Hi,
>
> Sorry, but all of this does not really touch the problem. Anybody who
> configures his apache https server and requests any kind of client cert
> authentication with
>
> SSLVerifyClient optional_no_ca
> (or similar)
>
> gets the client certificate in the handshake. So, he has access to your name
> and email address. Not many webservers do this yet, because client
> authentication is rare. But that is no reason to not close down this source
> of unwanted information. There are lots of efforts by people on the net to
> track users. Setting up a https server with cert authentication required is a
> comparatively trivial task, so it will certainly be done.
>
>> Anyway Firefox and Konqueror (and I hope IE too) can be configured so
>> they ask the user through a pop-up if he accepts sending his
>> certificate.
>
> This is exactly what I was alluding to in my initial mail. Users should be
> informed that they should configure their browsers in this way, or they will
> possibly leak out personal information.
>
> Cheers,
> Derek
>
>
> On Friday 30 March 2007 15:16, Kyriakos Ginis wrote:
>> On Fri, Mar 30, 2007 at 02:47:59PM +0200, Dennis van Dok wrote:
>>> Derek Feichtinger wrote:
>>>> Hi, Oscar
>>>>
>>>> The privacy problem is that your certificate is sent to any HTTPS server
>>>> that you access as part of the handshake.
>>> Is this true? If I go to https://www.scientificlinux.org/, I get no
>>> pop-up in firefox, while visiting GGUS (http://gus.fzk.de/) asks me if I
>>> want to send my certificate (I could still refuse).
>> I believe it is not true. The client sends its certificate only if
>> requested by the server, when there is the need of mutual
>> authentication. This is proved by a simple test like what you did. Also,
>> I quote RFC4346 (The TLS Protocol, Version 1.1). I highlight the
>> interesting words:
>>
>> ------------------------ cut here ---------------------
>> 7.4.4. Certificate request
>>
>>
>> When this message will be sent:
>>
>> A non-anonymous server can *optionally* request a certificate from
>> the client, if it is appropriate for the selected cipher suite.
>>
>> [snip]
>>
>> 7.4.6. Client certificate
>>
>>
>> When this message will be sent:
>>
>> This is the first message the client can send after receiving a
>> server hello done message. This message is *only sent if the
>> server requests a certificate*.
>> ------------------------ cut here ---------------------
>>
>> SSL v2.0 and v.3 specs are similar.
>>
>> Anyway Firefox and Konqueror (and I hope IE too) can be configured so
>> they ask the user through a pop-up if he accepts sending his
>> certificate.
>
|