Does a client certificate identify the owner to unrelated websites?











up vote
56
down vote

favorite
14












If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
























    up vote
    56
    down vote

    favorite
    14












    If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



    I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



    This is related to: Protecting information in TLS client certificates
    But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










    share|improve this question









    New contributor




    user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.






















      up vote
      56
      down vote

      favorite
      14









      up vote
      56
      down vote

      favorite
      14






      14





      If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



      I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



      This is related to: Protecting information in TLS client certificates
      But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










      share|improve this question









      New contributor




      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



      I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



      This is related to: Protecting information in TLS client certificates
      But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.







      tls certificates privacy web-browser web






      share|improve this question









      New contributor




      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited Dec 12 at 7:11









      Gilles

      38k1091145




      38k1091145






      New contributor




      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked Dec 10 at 22:37









      user13097

      36625




      36625




      New contributor




      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          67
          down vote













          Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



          (Skip to the bottom for a summary)



          Investigation



          Testing on Firefox



          Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



          I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



          Wireshark packet capture of a mutual-auth TLS handshake from Firefox



          Things to note:



          The client sends a generic ClientHello.



          The server sends a ServerHello that includes the server cert, and a request for a client cert.



          At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



          Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



          Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



          Firefox default setting for whether to prompt you for a certificate or to select one for you



          Testing on Chrome



          Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



          BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.



          Wireshark packet capture of a mutual-auth TLS handshake from Chrome



          Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



          Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



          Summary



          In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



          Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.








          share|improve this answer



















          • 8




            I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
            – John Wu
            Dec 11 at 2:38












          • @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
            – Mike Ounsworth
            Dec 11 at 2:45






          • 2




            Is there anything analogous to the GPO setting for Chrome on Mac OS?
            – Barmar
            Dec 11 at 16:18






          • 1




            ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
            – Mike Ounsworth
            Dec 11 at 18:30






          • 1




            @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
            – Andy Brown
            Dec 12 at 9:00











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "162"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });






          user13097 is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          67
          down vote













          Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



          (Skip to the bottom for a summary)



          Investigation



          Testing on Firefox



          Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



          I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



          Wireshark packet capture of a mutual-auth TLS handshake from Firefox



          Things to note:



          The client sends a generic ClientHello.



          The server sends a ServerHello that includes the server cert, and a request for a client cert.



          At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



          Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



          Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



          Firefox default setting for whether to prompt you for a certificate or to select one for you



          Testing on Chrome



          Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



          BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.



          Wireshark packet capture of a mutual-auth TLS handshake from Chrome



          Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



          Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



          Summary



          In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



          Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.








          share|improve this answer



















          • 8




            I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
            – John Wu
            Dec 11 at 2:38












          • @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
            – Mike Ounsworth
            Dec 11 at 2:45






          • 2




            Is there anything analogous to the GPO setting for Chrome on Mac OS?
            – Barmar
            Dec 11 at 16:18






          • 1




            ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
            – Mike Ounsworth
            Dec 11 at 18:30






          • 1




            @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
            – Andy Brown
            Dec 12 at 9:00















          up vote
          67
          down vote













          Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



          (Skip to the bottom for a summary)



          Investigation



          Testing on Firefox



          Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



          I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



          Wireshark packet capture of a mutual-auth TLS handshake from Firefox



          Things to note:



          The client sends a generic ClientHello.



          The server sends a ServerHello that includes the server cert, and a request for a client cert.



          At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



          Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



          Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



          Firefox default setting for whether to prompt you for a certificate or to select one for you



          Testing on Chrome



          Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



          BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.



          Wireshark packet capture of a mutual-auth TLS handshake from Chrome



          Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



          Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



          Summary



          In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



          Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.








          share|improve this answer



















          • 8




            I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
            – John Wu
            Dec 11 at 2:38












          • @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
            – Mike Ounsworth
            Dec 11 at 2:45






          • 2




            Is there anything analogous to the GPO setting for Chrome on Mac OS?
            – Barmar
            Dec 11 at 16:18






          • 1




            ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
            – Mike Ounsworth
            Dec 11 at 18:30






          • 1




            @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
            – Andy Brown
            Dec 12 at 9:00













          up vote
          67
          down vote










          up vote
          67
          down vote









          Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



          (Skip to the bottom for a summary)



          Investigation



          Testing on Firefox



          Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



          I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



          Wireshark packet capture of a mutual-auth TLS handshake from Firefox



          Things to note:



          The client sends a generic ClientHello.



          The server sends a ServerHello that includes the server cert, and a request for a client cert.



          At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



          Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



          Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



          Firefox default setting for whether to prompt you for a certificate or to select one for you



          Testing on Chrome



          Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



          BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.



          Wireshark packet capture of a mutual-auth TLS handshake from Chrome



          Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



          Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



          Summary



          In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



          Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.








          share|improve this answer














          Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



          (Skip to the bottom for a summary)



          Investigation



          Testing on Firefox



          Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



          I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



          Wireshark packet capture of a mutual-auth TLS handshake from Firefox



          Things to note:



          The client sends a generic ClientHello.



          The server sends a ServerHello that includes the server cert, and a request for a client cert.



          At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



          Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



          Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



          Firefox default setting for whether to prompt you for a certificate or to select one for you



          Testing on Chrome



          Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



          BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server because that cert was for a different website. Yup, that's a privacy concern alright.



          Wireshark packet capture of a mutual-auth TLS handshake from Chrome



          Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



          Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



          Summary



          In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exhibited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



          Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.









          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 11 at 20:10









          guntbert

          1,036817




          1,036817










          answered Dec 10 at 23:26









          Mike Ounsworth

          38.6k1493137




          38.6k1493137








          • 8




            I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
            – John Wu
            Dec 11 at 2:38












          • @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
            – Mike Ounsworth
            Dec 11 at 2:45






          • 2




            Is there anything analogous to the GPO setting for Chrome on Mac OS?
            – Barmar
            Dec 11 at 16:18






          • 1




            ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
            – Mike Ounsworth
            Dec 11 at 18:30






          • 1




            @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
            – Andy Brown
            Dec 12 at 9:00














          • 8




            I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
            – John Wu
            Dec 11 at 2:38












          • @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
            – Mike Ounsworth
            Dec 11 at 2:45






          • 2




            Is there anything analogous to the GPO setting for Chrome on Mac OS?
            – Barmar
            Dec 11 at 16:18






          • 1




            ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
            – Mike Ounsworth
            Dec 11 at 18:30






          • 1




            @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
            – Andy Brown
            Dec 12 at 9:00








          8




          8




          I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
          – John Wu
          Dec 11 at 2:38






          I cannot reproduce these results. It's important to note that both browsers have changeable settings that can force the dialog to appear or suppress it altogether (Firefox is set via its UI, Chrome can be set via GPO).
          – John Wu
          Dec 11 at 2:38














          @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
          – Mike Ounsworth
          Dec 11 at 2:45




          @JohnWu Ah, good point: I assume you mean the Firefox option "Certificates > [ ] Select one automatically, [ ] Ask me every time"? I'm fairly certain (though not 100%) that my testing browsers have all the defaults. Good point though.
          – Mike Ounsworth
          Dec 11 at 2:45




          2




          2




          Is there anything analogous to the GPO setting for Chrome on Mac OS?
          – Barmar
          Dec 11 at 16:18




          Is there anything analogous to the GPO setting for Chrome on Mac OS?
          – Barmar
          Dec 11 at 16:18




          1




          1




          ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
          – Mike Ounsworth
          Dec 11 at 18:30




          ... and / or would request a CA DN of a different website if it's looking to harvest specific information.
          – Mike Ounsworth
          Dec 11 at 18:30




          1




          1




          @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
          – Andy Brown
          Dec 12 at 9:00




          @MikeOunsworth yes... the privacy issue is real and Chrome IMHO is very much doing the wrong thing by default here. A malicious site could accept CAs known to issue client certs and harvest any info encoded into the public client certificate. BTW 'websites' are irrelevant for client certs - there is no matching done against, for example, the CN component as there is for certs issued for website validation.
          – Andy Brown
          Dec 12 at 9:00










          user13097 is a new contributor. Be nice, and check out our Code of Conduct.










          draft saved

          draft discarded


















          user13097 is a new contributor. Be nice, and check out our Code of Conduct.













          user13097 is a new contributor. Be nice, and check out our Code of Conduct.












          user13097 is a new contributor. Be nice, and check out our Code of Conduct.
















          Thanks for contributing an answer to Information Security Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          數位音樂下載

          格利澤436b

          When can things happen in Etherscan, such as the picture below?