- Apr 21, 2016
- 4,373
Firefox has a big problem with the way its intermediate certificate cache works because it can be tricked into leaking information to a misconfigured servers, basically fingerprinting users even if they're using Private Browsing.
Security researcher Alexander Klink identified the data leak, and according to his evaluation, the issue could allow attackers to identify browsers operating in a sandbox for malware analysis and tell them apart from those used by regular people.
The way this works is that when starting a TLS session for HTTPS, a server that is configured correctly sends a visiting browser the intermediate CA and its server CA. A misconfigured server only sends the server CA and this sometimes happens with Firefox, because, as the researcher points out, both Chrome and Internet Explorer "magically" figure it out and there are no issues there. When the server only sends the server CA, the site will only load if the user already has the intermediate cached.
This problem usually appears when server admins don't implement HTTPS correctly, and it usually ends up in an error in the user's browser.
Private Browsing protections don't matter
Klink then notes that if a user's browser behaves differently depending on the server configuration, there might be a way to put that behavior to use to infer which intermediate certificates are in their cache and to create a user fingerprint by using this information.
In short, the bug would allow a third party site to send a request, leading Firefox to leak the intermediate CAs from the cache. Not even Private Browsing mode saves users from this vulnerability.
Read more: Firefox Users Can Be Fingerprinted Due to Certificate Cache Bug
Security researcher Alexander Klink identified the data leak, and according to his evaluation, the issue could allow attackers to identify browsers operating in a sandbox for malware analysis and tell them apart from those used by regular people.
The way this works is that when starting a TLS session for HTTPS, a server that is configured correctly sends a visiting browser the intermediate CA and its server CA. A misconfigured server only sends the server CA and this sometimes happens with Firefox, because, as the researcher points out, both Chrome and Internet Explorer "magically" figure it out and there are no issues there. When the server only sends the server CA, the site will only load if the user already has the intermediate cached.
This problem usually appears when server admins don't implement HTTPS correctly, and it usually ends up in an error in the user's browser.
Private Browsing protections don't matter
Klink then notes that if a user's browser behaves differently depending on the server configuration, there might be a way to put that behavior to use to infer which intermediate certificates are in their cache and to create a user fingerprint by using this information.
In short, the bug would allow a third party site to send a request, leading Firefox to leak the intermediate CAs from the cache. Not even Private Browsing mode saves users from this vulnerability.
Read more: Firefox Users Can Be Fingerprinted Due to Certificate Cache Bug