User tracking with SSL certificates in Firefox
Security specialist Alexander Klink has described a way to identify PCs remotely by means of a kind of super cookie. At the moment, it seems that PCs can only be detected by this means if Firefox is configured as the default browser. The "cookie" is based on TLS Client certificates generated by means of "Signed Public Key and Challenge" (SPKAC), which are saved locally when a specially prepared website is visited.
Normally, these certificates are used for bidirectional TLS/SSL authentication, to convince servers that a client is genuine. However, such certificates are easy to install from just about any server with just about any content and without much user participation. The only thing that Firefox users see is a message reading: "Key generation in progress... This may take a few minutes... Please wait ...". But on fast computers, even this message disappears in less than a second.
Then the following message appears: "Your personal certificate has been installed. You should keep a backup copy of the certificate." Few users will be suspicious about such messages, much less be able to figure out how to delete the newly saved certificate. In cases where no password has been stored in Firefox' password manager, a dialog appears in which a password can be entered for the certificate. But few people will ever see this dialog.
Because in its default configuration Firefox tries to select the client certificate required by the server automatically, any server – even one from another domain – can download the certificate and recognize the computer when visited. It also turns out from a discussion that even those concerned enough about security to use the Tor anonymisation network are affected in so far as the websites that they visit can be traced. Privoxy reportedly does not provide protection from these supercookies either.
- Firefox 2.0.x: tracking unsuspecting users using TLS client certificates, Alexander Klink's security advisory
- Firefox 2.0.x TLS client certificate tracking POC, demo of super cookie