Another Mozilla security hole!

After Mozilla had some hard time fixing a Password Manager bug, which exposed passwords willingly and without the users consent to different sites, it seems that there is another yet controversial security problem surfacing:

You browse the Internet as we all do and from time to time you come across various login facilities. Being it a forum, blog, administrative site or anything along these lines, most of these sites are protected by user name and password form fields. Upon entering a protected area of the site you are visiting, you are asked to enter the user name and password - provided you’ve got one. If you had to register in order to receive a login account, you are pretty aware about the information the site wanted to know about you. And almost obviously, you are also aware about the fact that you are going to access a protected part of the web site and that you must authenticate in order to do that.

Now just imagine you enter a protected web site without even knowing that you did. More than that you just supplied to the site also some personal details about yourself. For example your name, from which country you are and in which city you live. Furthermore you’d also give out some clues about your preferred certification authority. Or maybe not the preferred one - but just one you happen to use…

I could take your imagination even one step further. You are one of those security minded individuals who uses Firefox for browsing the Internet, accepts cookies only from preferred web sites and has Javascript turned off by default. It can happen even to you on a hectic day that you don’t pay attention to everything. Enter a web site and turn your back - your wife just called, the baby cries and your three year old is falling from a chair. You save the falling child from certain injury, relax the baby and assure your wife that everything is alright ;-) . Back at your computer you turn your attention to your usual business. However what you don’t know is, that in the meantime a client certificate was installed into your browser [1]. And from now on they are tracking you wherever you go….

How does it work? An in depth explanation was posted to the bug reporting tool of Mozilla, with a proof of concept which shows the attack practically. Simply, Firefox sends to any web server requesting digital client certificate authentication the most appropriate certificate. A server can be configured to accept any certificate, meaning Firefox chooses one for you [2]. You - the clueless visitor of the web site - doesn’t even know about it. Why? Because the default settings of Firefox is to select a client certificate automatically whenever a site requests it. Outshhhh! No prompt, no message, nothing, nada!

Firefox Default Preferences

In comparison, the less secure Internet Explorer seems to handle this much better. First of all, whenever a private key for the client certificate is generated a prompt is displayed where the user can cancel the action. Another prompt announces the installation of the certificate and the option to cancel. When a web site requests authentication with a client certificate, Internet Explorer presents a list of installed client certificates. The user in this case knows about the request and can either cancel or choose the certificate. Certainly as one expects such things to work.

Up to now, the lead developers of the NSS module, which handles crypto related matters in Mozilla Firefox, objected to change the default settings to “Ask me every time“, which obviously could solve this problem with minimal investment and in timely fashion. Worse, some developers even refuse to acknowledge that there is a problem in first place and don’t see any need to change the existing functionality in the mean time. Certainly not what I’d expect from the fellows of the Mozilla community. And this is the reason for my article here in order to make more folks aware of this issue. Because I extremely care about how “my” browser works!

The StartCom CA makes use of client certificate authentication - in my opinion the most responsible way to protect personal accounts. Repeated registration can be skipped at our current CA web site with a client certificate and our new next generation CA sites [3] and related services are all protecting personal accounts and information via digital certification.

[1] With a little effort and Ajax technology, generation of a private key and installation of the resulting certificate can be automated in such a way, that the only clue would be a popup message that a certificate has been installed. In the now obsolete 1.5 version, there wasn’t even that - the certificate would install seamless. As a matter of fact, we had to popup a message window by ourselves at the StartCom CA, so that the users would know that their client certificate was installed. We added the message, after some complained, that nothing happens and they didn’t received the requested certificate. In fact they did receive their client certificate, but they simply didn’t knew about it.

[2] Also annoying is the fact, that if you have multiple certificates installed from the same CA, Firefox will use one of them, even if you’d prefer to use a different one. Users new to the Firefox browser will have a hard time to know why and how to change the default behavior without plunging deep into the browser configuration. Obviously more overhead for our support department.

[3] Under development is a brand new and very advanced facility for the management of SSL and S/MIME certificates. StartSSLâ„¢ PKI will be opened to the public within the next month, StartSSLâ„¢ DNS and StartSSLâ„¢ WoT require already today client certificates as a means of authentication in order to access personal accounts.

Update! At the 19.09.2007 Heise Security has reported this issue now as well.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Other Posts
New Commitment for Thunderbird
Top Linux for Audio Production

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

I forgot to update: This bug was successfully fixed after a CVE report was filed. See