Does a client certificate identify the owner to unrelated websites?
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
tls certificates privacy web-browser web
edited Dec 12 '18 at 7:11
Gilles
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
add a comment |
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
tls certificates privacy web-browser web
edited Dec 12 '18 at 7:11
Gilles
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
add a comment |
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
tls certificates privacy web-browser web
edited Dec 12 '18 at 7:11
Gilles
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
tls certificates privacy web-browser web
tls certificates privacy web-browser web
edited Dec 12 '18 at 7:11
Gilles
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
edited Dec 12 '18 at 7:11
Gilles
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
edited Dec 12 '18 at 7:11
Gilles
39k1194147
edited Dec 12 '18 at 7:11
Gilles
39k1194147
edited Dec 12 '18 at 7:11
Gilles
39k1194147
39k1194147
asked Dec 10 '18 at 22:37
user13097user13097
37135
asked Dec 10 '18 at 22:37
user13097user13097
37135
asked Dec 10 '18 at 22:37
user13097user13097
37135
37135
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited Dec 11 '18 at 20:10
guntbert
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
|
show 2 more comments
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited Dec 11 '18 at 20:10
guntbert
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
|
show 2 more comments
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited Dec 11 '18 at 20:10
guntbert
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
|
show 2 more comments
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited Dec 11 '18 at 20:10
guntbert
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited Dec 11 '18 at 20:10
guntbert
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
edited Dec 11 '18 at 20:10
guntbert
1,063817
edited Dec 11 '18 at 20:10
guntbert
1,063817
edited Dec 11 '18 at 20:10
guntbert
1,063817
1,063817
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
answered Dec 10 '18 at 23:26
Mike OunsworthMike Ounsworth
40k1594141
40k1594141
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
|
show 2 more comments
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
9
9
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
– John Wu
Dec 11 '18 at 2:38
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
@JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
– Mike Ounsworth
Dec 11 '18 at 2:45
2
2
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
Is there anything analogous to the GPO setting for Chrome on Mac OS?
– Barmar
Dec 11 '18 at 16:18
1
1
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
... and / or would request a CA DN of a different website if it's looking to harvest specific information.
– Mike Ounsworth
Dec 11 '18 at 18:30
1
1
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
@MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
– Andy Brown
Dec 12 '18 at 9:00
|
show 2 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
