privacy considerations: can a nosy https: site probe user identity without explicit permission?

On 11 Feb 2011, at 13:50, Dan Brickley wrote:

> Hi folks
> Anyone got a sense of the landscape of default browser behaviours here?
> Assume I have set myself up for WebID, and am browsing around the Web
> (which includes more and more SSL-by-default sites).
> Some of these sites I might want to keep my identity private from.
> Are there common browser configurations where the default allows such
> sites to probe their otherwise-anonymous users, and ask the browser
> for a certificate *without any GUI prompt*? (eg. if I only had one
> identity in browser, so no need for a pick-list...)

Good question, and it would fit under ISSUE-14: "WebID and Browsers" 
as something to look into.

That would be a bug for sure. Browsers should in my view ask the user which certificate to send and if he wants to even if there is only one. Browsers should in fact make it plain what certificate is used in a session.

There is I think a bug in Safari (at least on OSX). If you send a certificate once to a site, Safari will always send it. Test it and file a bug report if it's still there. That is a security issue I reported, but I am not sure how responsive they are.

But I have not seen a browser that never asks you for your cert. 
(Well one should do checks on each browser and see what happens if you have only one certificate)


> Thanks for any info,
> cheers,
> Dan
> _______________________________________________
> foaf-protocols mailing list

Social Web Architect

Received on Friday, 11 February 2011 13:27:03 UTC