Derek Feichtinger wrote:
> Hi, Oscar
>
> The privacy problem is that your certificate is sent to any HTTPS server that
> you access as part of the handshake.
Is this true? If I go to https://www.scientificlinux.org/, I get no
pop-up in firefox, while visiting GGUS (http://gus.fzk.de/) asks me if I
want to send my certificate (I could still refuse).
>
> I am not concerned at all about losing the private key. The SSL handshake does
> not disclose it, naturally. But the text contained in a certificate is
> already enough to disclose information about you. It contains your name and
> often also your email address. This is information you do not generally want
> to broadcast to every site you visit.
As a matter of fact, our CA's policy (NIKHEF) is *not* to put an e-mail
in the certificate (that is why the signature of this mail cannot be
verified :-(. The only other exposed information is my home institute.
Not a big deal IMHO. Even the e-mail address is only a limited risk
(spammers find me anyway).
But thinking about and discussing these issues is always a good thing!
Dennis van Dok
--
D.H. van Dok :: Software Engineer :: www.nikhef.nl :: www.vl-e.nl
Phone +31 20 592 50 12 :: Google Agenda on
http://www.nikhef.nl/~dennisvd/
|