Does a client certificate identify the owner to unrelated websites?
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
New contributor
add a comment |
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
New contributor
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago
add a comment |
up vote
6
down vote
favorite
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
New contributor
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
certificates certificate-authority
New contributor
New contributor
edited 5 hours ago
New contributor
asked 5 hours ago
user13097
312
312
New contributor
New contributor
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago
add a comment |
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
|
show 2 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
|
show 2 more comments
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
|
show 2 more comments
up vote
4
down vote
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Note1: @JohnWu points out that it's possible to change this behaviour and have Chrome prompt, but it's not the default behaviour, and you have to go diving in Windows group policy (GPO) to do it.
Note2: the reproducibility of this may depend on how your Windows OS was configured since Chrome tends to inherit a lot of its security settings from IE.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
edited 10 mins ago
answered 4 hours ago
Mike Ounsworth
38k1491135
38k1491135
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
|
show 2 more comments
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
4 hours ago
1
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
On it! Hold tight! More edits incoming.
– Mike Ounsworth
4 hours ago
1
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
4 hours ago
|
show 2 more comments
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
4 hours ago