In association with heise online

19 September 2007, 17:03

User tracking with SSL certificates in Firefox

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Security specialist Alexander Klink has described a way to identify PCs remotely by means of a kind of super cookie. At the moment, it seems that PCs can only be detected by this means if Firefox is configured as the default browser. The "cookie" is based on TLS Client certificates generated by means of "Signed Public Key and Challenge" (SPKAC), which are saved locally when a specially prepared website is visited.

Normally, these certificates are used for bidirectional TLS/SSL authentication, to convince servers that a client is genuine. However, such certificates are easy to install from just about any server with just about any content and without much user participation. The only thing that Firefox users see is a message reading: "Key generation in progress... This may take a few minutes... Please wait ...". But on fast computers, even this message disappears in less than a second.

Then the following message appears: "Your personal certificate has been installed. You should keep a backup copy of the certificate." Few users will be suspicious about such messages, much less be able to figure out how to delete the newly saved certificate. In cases where no password has been stored in Firefox' password manager, a dialog appears in which a password can be entered for the certificate. But few people will ever see this dialog.

Because in its default configuration Firefox tries to select the client certificate required by the server automatically, any server – even one from another domain – can download the certificate and recognize the computer when visited. It also turns out from a discussion that even those concerned enough about security to use the Tor anonymisation network are affected in so far as the websites that they visit can be traced. Privoxy reportedly does not provide protection from these supercookies either.

Although Klink first thought otherwise, such cookies apparently work both in Firefox 2.0 and Firefox 1.5 (both under Windows and Linux). The report states that other browsers are not affected by the problem. Opera and Konqueror open a number of dialogs that should make users suspicious, while Internet Explorer does not support SPKAC. The author did not manage to transfer a certificate using Safari. An online demo illustrates the problem: Firefox 2.0.x TLS client certificate tracking POC. Although a name does have to be entered in the demo, JavaScript could perform that task automatically in a real tracking scenario. The only workaround at present is to set the option "Always prompt" under "Settings/advanced/encryption/certificates". Users are then at least presented with a dialog asking if they want to stop a server from checking a certificate.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit