Closed
Bug 552598
Opened 15 years ago
Closed 9 years ago
client-certificate UI is difficult to use
Categories
(Core Graveyard :: Security: UI, enhancement, P3)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: agaurav, Unassigned)
Details
(Whiteboard: [psm-auth])
Attachments
(1 file, 1 obsolete file)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.249.89 Safari/532.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
It is beneficial to use client certificates as long-term session cookies. (a) client private keys are not exposed if the user visits an HTTPS phishing page (and ignores server cert warnings) and (b) client-certs are not removed when the user clears private data.
Existing UI for client certificates in browsers like Firefox is not user friendly. Whenever a server requests client certificates, Firefox shows a popup containing a list of client certificates and asks the user to select one certificate from this list (even if user has set an option to remember the certificate used last time at this website, this popup is shown when browser connects to this site the first time). Because of this confusing UI few website use client certificates for authentication.
We are proposing the following changes:
1. Conditionally remove client cert UI: add a new X509 "Silent Use" Extension (OID "1.3.6.1.5.5.7.1.100") in a client cert to indicate that this certificate can be used for authentication without displaying the dialog to the user. If no client cert with this extension is found, the browser shows the popup depending on user preferences (automatically select cert, remember last used cert etc).
Note that IE8 already does not pop-up a dialog for client-cert authentication if there is only one matching client cert present.
2. The site that set the client-cert should be able to restrict other sites from using the cert with the X509 "Scope-of-use" extension: this extension enables us to specify a list of web sites that may request the use of a particular certificate for SSL client authentication (http://docs.sun.com/source/816-5531-10/poli_ext.htm#1394157). Server would set the value of this extension to match its own URL or domain name. The value can also be set to a sub-domain so that same certificate could be used at sister sites in the same domain. When server requests a client cert, the browser will only select those certificates that have a compatible value in this extension (if it is present).
Firefox already implements "Scope-of-use" extensions (in file security/manager/ssl/src/nsNSSIOLayer.cpp) but it is commented out. Could we re-enable the "Scope-of-use" extension for the purpose of restricting the sites where the client certificate can be used?
Security Considerations:
Using client certificates without user intervention can be abused for user tracking. Consider a scenario where user visits a bunch of websites A, B, C and D. All of these websites contain iFrames to show ads from the same provider P. P can install a client certificate in the browser which would then be sent every time the user visits any of these pages. Using this certificate, P can easily track the user across sites. We should minimize this by enforcing a third-party blocking policy in a manner similar to cookies so that a third-party site cannot install or request a client certificate with the "Silent Use" extension.
Attached Patch:
* Removes the client cert UI for certs with the X509 Silent Use Extension. (First look for certs with the X509 Silent Use Extension OID "1.3.6.1.5.5.7.1.100". If matching certs are present, proceed silently with the first match encountered, otherwise default to the current behavior.)
TODO:
1. Reject client certs with the X509 Silent Use Extension when generated by a site A for a different site B - We need to intercept crypto.importUserCertificates() function and check that Scope-of-use extension has a value that is compatible with the URL of the website trying to install the cert. However, we have not found a straight forward way so far to reliably get hold of the URL or hostname inside this function.
Reproducible: Always
Steps to Reproduce:
1.Open Firefox and visit any website that requests client certificates
Actual Results:
Firefox pops up a window/dialog asking the user to select one client certificate from a list of matching certificates
|
Reporter | |
Comment 1•15 years ago
|
||
|
||
Updated•15 years ago
|
Assignee: kaie → nobody
Severity: normal → enhancement
OS: Windows Vista → All
Priority: -- → P3
Hardware: x86 → All
|
|
||
Comment 2•15 years ago
|
||
Part 2 of your proposal is not implemented yet, though you propose a patch (uncommenting some stuff out). Could you attach to this bug a patch that uncomments scope-of-use for your proposed functionality? I'd like to see what it would entail.
|
|
||
Comment 3•15 years ago
|
||
Kai has posted a related, but I believe non-overlapping UI proposal:
http://kuix.de/mozilla/sslauth/
|
|
Reporter | |
Comment 4•15 years ago
|
||
Attachment #432731 -
Attachment is obsolete: true
|
||
Updated•15 years ago
|
Whiteboard: [psm-clientauth]
|
|
||
Updated•15 years ago
|
Whiteboard: [psm-clientauth] → [psm-auth]
|
|
||
Comment 5•15 years ago
|
||
Hrmm. I'm not sure I like the privacy implications of the proposed changes.
The fact that a user is trying to clear their private data does NOT mean that new mechanisms to track them better in this case should be introduced. It is a rather blatant violation of user trust and expectation of browser behaviour to do so.
I don't think the average user would be pleased to know that a website they visit could secretly store a cryptographically strong unique identifier on their computer to track them upon on future visits that they cannot delete, even if the proposed proper third party checks could be enforced.
IMHO, there should be clear UI options to disable client certificate creation, and/or prompt the before their creation, and also options under the privacy settings to list and purge them.
|
||
Comment 6•15 years ago
|
||
I have no objection, as long as these Silent Use certs are treated just like the cookies they are. That is, they should be removed when the user wants to clear private data, and they might follow the same permission rules (exceptions, warning dialogs, etc ...). It should also be possible to disable them entirely, in which case they should be treated as normal certificates (popups, etc ...)
They should also be displayed separately in the Certificate Manager, as they are different from 'normal' server certificates, which you probably don't want to delete by accident.
|
|
||
Comment 7•15 years ago
|
||
(In reply to comment #6)
> I have no objection, as long as these Silent Use certs are treated just like
> the cookies they are. That is, they should be removed when the user wants to
> clear private data, and they might follow the same permission rules
> (exceptions, warning dialogs, etc ...). It should also be possible to disable
> them entirely, in which case they should be treated as normal certificates
> (popups, etc ...)
I'm down with this silent use of client certs, since they would be precisely limited-use cookies (used only for authentication) that just happen to be useful for encryption too. We should treat them the same way as cookies:
- Should go away easily with "clear private data"
- In private browsing mode, they must be limited to a session.
- User must be able to turn them off like cookies.
- Must be *separate* from those users generate intentionally.
|
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
|
Assignee | |
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•