Does a client certificate identify the owner to unrelated websites?











up vote
6
down vote

favorite
3












If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
    – Mike Ounsworth
    4 hours ago















up vote
6
down vote

favorite
3












If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
    – Mike Ounsworth
    4 hours ago













up vote
6
down vote

favorite
3









up vote
6
down vote

favorite
3






3





If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.










share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?



I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).



This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.







certificates certificate-authority






share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 5 hours ago





















New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 5 hours ago









user13097

312




312




New contributor




user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
    – Mike Ounsworth
    4 hours ago


















  • I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
    – Mike Ounsworth
    4 hours ago
















I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago




I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago










1 Answer
1






active

oldest

votes

















up vote
4
down vote













Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



(Skip to the bottom for a summary)



Investigation



Testing on Firefox



Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



Wireshark packet capture of a mutual-auth TLS handshake from Firefox



Things to note:



The client sends a generic ClientHello.



The server sends a ServerHello that includes the server cert, and a request for a client cert.



At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



Firefox default setting for whether to prompt you for a certificate or to select one for you



Testing on Chrome



Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.



Wireshark packet capture of a mutual-auth TLS handshake from Chrome



Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



Summary



In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.






share|improve this answer























  • Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
    – schroeder
    4 hours ago






  • 1




    On it! Hold tight! More edits incoming.
    – Mike Ounsworth
    4 hours ago








  • 1




    @schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
    – Mike Ounsworth
    4 hours ago










  • Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
    – schroeder
    4 hours ago










  • @schroeder heh, sadly no to all. It is however, time to make dinner :P
    – Mike Ounsworth
    4 hours ago











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






user13097 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
4
down vote













Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



(Skip to the bottom for a summary)



Investigation



Testing on Firefox



Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



Wireshark packet capture of a mutual-auth TLS handshake from Firefox



Things to note:



The client sends a generic ClientHello.



The server sends a ServerHello that includes the server cert, and a request for a client cert.



At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



Firefox default setting for whether to prompt you for a certificate or to select one for you



Testing on Chrome



Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.



Wireshark packet capture of a mutual-auth TLS handshake from Chrome



Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



Summary



In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.






share|improve this answer























  • Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
    – schroeder
    4 hours ago






  • 1




    On it! Hold tight! More edits incoming.
    – Mike Ounsworth
    4 hours ago








  • 1




    @schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
    – Mike Ounsworth
    4 hours ago










  • Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
    – schroeder
    4 hours ago










  • @schroeder heh, sadly no to all. It is however, time to make dinner :P
    – Mike Ounsworth
    4 hours ago















up vote
4
down vote













Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



(Skip to the bottom for a summary)



Investigation



Testing on Firefox



Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



Wireshark packet capture of a mutual-auth TLS handshake from Firefox



Things to note:



The client sends a generic ClientHello.



The server sends a ServerHello that includes the server cert, and a request for a client cert.



At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



Firefox default setting for whether to prompt you for a certificate or to select one for you



Testing on Chrome



Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.



Wireshark packet capture of a mutual-auth TLS handshake from Chrome



Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



Summary



In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.






share|improve this answer























  • Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
    – schroeder
    4 hours ago






  • 1




    On it! Hold tight! More edits incoming.
    – Mike Ounsworth
    4 hours ago








  • 1




    @schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
    – Mike Ounsworth
    4 hours ago










  • Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
    – schroeder
    4 hours ago










  • @schroeder heh, sadly no to all. It is however, time to make dinner :P
    – Mike Ounsworth
    4 hours ago













up vote
4
down vote










up vote
4
down vote









Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



(Skip to the bottom for a summary)



Investigation



Testing on Firefox



Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



Wireshark packet capture of a mutual-auth TLS handshake from Firefox



Things to note:



The client sends a generic ClientHello.



The server sends a ServerHello that includes the server cert, and a request for a client cert.



At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



Firefox default setting for whether to prompt you for a certificate or to select one for you



Testing on Chrome



Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.



Wireshark packet capture of a mutual-auth TLS handshake from Chrome



Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



Summary



In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.






share|improve this answer














Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!



(Skip to the bottom for a summary)



Investigation



Testing on Firefox



Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.



I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:



Wireshark packet capture of a mutual-auth TLS handshake from Firefox



Things to note:



The client sends a generic ClientHello.



The server sends a ServerHello that includes the server cert, and a request for a client cert.



At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)



Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".



Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:



Firefox default setting for whether to prompt you for a certificate or to select one for you



Testing on Chrome



Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)



BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.



Wireshark packet capture of a mutual-auth TLS handshake from Chrome



Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.



Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.



Summary



In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.



Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.







share|improve this answer














share|improve this answer



share|improve this answer








edited 10 mins ago

























answered 4 hours ago









Mike Ounsworth

38k1491135




38k1491135












  • Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
    – schroeder
    4 hours ago






  • 1




    On it! Hold tight! More edits incoming.
    – Mike Ounsworth
    4 hours ago








  • 1




    @schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
    – Mike Ounsworth
    4 hours ago










  • Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
    – schroeder
    4 hours ago










  • @schroeder heh, sadly no to all. It is however, time to make dinner :P
    – Mike Ounsworth
    4 hours ago


















  • Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
    – schroeder
    4 hours ago






  • 1




    On it! Hold tight! More edits incoming.
    – Mike Ounsworth
    4 hours ago








  • 1




    @schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
    – Mike Ounsworth
    4 hours ago










  • Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
    – schroeder
    4 hours ago










  • @schroeder heh, sadly no to all. It is however, time to make dinner :P
    – Mike Ounsworth
    4 hours ago
















Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder
4 hours ago




Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder
4 hours ago




1




1




On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago






On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago






1




1




@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago




@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago












Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder
4 hours ago




Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder
4 hours ago












@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago




@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago










user13097 is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















user13097 is a new contributor. Be nice, and check out our Code of Conduct.













user13097 is a new contributor. Be nice, and check out our Code of Conduct.












user13097 is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

What visual should I use to simply compare current year value vs last year in Power BI desktop

How to ignore python UserWarning in pytest?

Alexandru Averescu