Does a client certificate identify the owner to unrelated websites?
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago
add a comment |
up vote
6
down vote
favorite
up vote
6
down vote
favorite
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If I install a client certificate in my browser, which websites can see any information about this client certificate or the CA that issued it?
I once visited an ssl diagnostic site that immediately reported back information from one of my client certificates, including my name (which I had put in the CA that issued the client certificate).
This is related to: Protecting information in TLS client certificates
But that's about how the certificate is sent to the website that the certificate is intended for. I'm asking about unrelated websites.
certificates certificate-authority
certificates certificate-authority
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 4 hours ago
asked 4 hours ago
user13097
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 4 hours ago
user13097
312
asked 4 hours ago
user13097
312
312
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user13097 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago
add a comment |
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
answered 3 hours ago
Mike Ounsworth
38k1491135
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
|
show 2 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
answered 3 hours ago
Mike Ounsworth
38k1491135
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
|
show 2 more comments
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
answered 3 hours ago
Mike Ounsworth
38k1491135
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
|
show 2 more comments
up vote
4
down vote
up vote
4
down vote
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
answered 3 hours ago
Mike Ounsworth
38k1491135
Interesting question! I just so happen to have a browser full of test certs, and a number of test sites to connect to! Let's test this!
(Skip to the bottom for a summary)
Investigation
Testing on Firefox
Firefox loaded with certs, a test site that requires a TLS client cert, Wireshark.
I restarted Firefox to get a clean session. Then I entered the URL of a website that will ask for a TLS client cert, and stopped once I got the "Please choose a certificate" popup. This is the wireshark packet capture up to that point:
Things to note:
The client sends a generic ClientHello.
The server sends a ServerHello that includes the server cert, and a request for a client cert.
At this point Firefox presents the popup for me to select which cert I wish to send. If I hit Cancel, then there is no further network traffic, ie nothing is sent to the server beyond the generic ClientHello which contains no personally identifiable information. (apart from the list of supported cipher suites, which could be used to determine which version of which browser you're using)
Note1: I tried the same test with only one client cert in my browser, and I even clicked "Remember this decision" on the cert selection popup, and get the same result. So I am unable to reproduce your result of private data being sent to the server without me clicking "OK".
Note2: As pointed out by @JohnWu in comments, you can change Firefox's behaviour in settings in which case it behaves in the same insecure way as Chrome below. Default setting is:
Testing on Chrome
Exactly the same test scenario as above, but with Chrome. (Note that Chrome does not have its own cert store, but instead uses your Windows cert store, which is a bit trickier to manipulate than Firefox. Details for that not included here.)
BINGO!! Chrome immediately starts sending client certs up to the server without any user prompts. This cert got rejected by the server cause that cert was for a different website. Yup, that's a privacy concern alright.
Summary
In my testing with the two browsers that I have in my test environment (Firefox and Chrome), Chrome exihited the behaviour you describe (spamming client certs at the server regardless of whether they are from a different site), while Firefox politely asked me to confirm which cert to send, even when I only had one cert installed.
Conclusion: If you care about privacy, then Chrome is not your friend. Use Firefox instead.
answered 3 hours ago
Mike Ounsworth
38k1491135
edited 28 mins ago
answered 3 hours ago
Mike Ounsworth
38k1491135
answered 3 hours ago
Mike Ounsworth
38k1491135
answered 3 hours ago
Mike Ounsworth
38k1491135
38k1491135
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
|
show 2 more comments
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
Every once in a while there is a question here where I'm not sure there is a clear answer but it needs testing. I'm very, very curious to see what further testing reveals.
– schroeder♦
3 hours ago
1
1
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
On it! Hold tight! More edits incoming.
– Mike Ounsworth
3 hours ago
1
1
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
@schroeder Huzzah! Answer: if you're a fan of privacy, then Chrome is not your friend.
– Mike Ounsworth
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
Awesome work! Care to test any other browsers? Got a blog to post this research to (and reference sec.se)?
– schroeder♦
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
@schroeder heh, sadly no to all. It is however, time to make dinner :P
– Mike Ounsworth
3 hours ago
|
show 2 more comments
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
user13097 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199515%2fdoes-a-client-certificate-identify-the-owner-to-unrelated-websites%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I can't reproduce this behaviour (see below). Can you add more details about your setup? In particular, which browser you're using?
– Mike Ounsworth
3 hours ago