[TLS] TLS browser bugs
Henry Story <henry.story@bblfish.net> Mon, 06 September 2010 14:48 UTC
Return-Path: <henry.story@bblfish.net>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B8873A67D6 for <tls@core3.amsl.com>; Mon, 6 Sep 2010 07:48:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TwF-yCTejH7l for <tls@core3.amsl.com>; Mon, 6 Sep 2010 07:48:13 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by core3.amsl.com (Postfix) with ESMTP id 50E783A6915 for <tls@ietf.org>; Mon, 6 Sep 2010 07:48:12 -0700 (PDT)
Received: by wwj40 with SMTP id 40so5242343wwj.13 for <tls@ietf.org>; Mon, 06 Sep 2010 07:48:39 -0700 (PDT)
Received: by 10.227.154.129 with SMTP id o1mr269078wbw.175.1283784518904; Mon, 06 Sep 2010 07:48:38 -0700 (PDT)
Received: from [10.196.1.28] (wlan-nat.fwgal01.deri.ie [140.203.154.5]) by mx.google.com with ESMTPS id p42sm3398214weq.36.2010.09.06.07.48.37 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 06 Sep 2010 07:48:38 -0700 (PDT)
From: Henry Story <henry.story@bblfish.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 06 Sep 2010 15:48:36 +0100
Message-Id: <41DDF4DF-7BB3-44E0-A3DB-989DAAACC174@bblfish.net>
To: tls@ietf.org
Mime-Version: 1.0 (Apple Message framework v1081)
X-Mailer: Apple Mail (2.1081)
Subject: [TLS] TLS browser bugs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2010 14:48:15 -0000
I have been investigating issues with browser side SSL logout, which become clearly evident when one tries to put whole web sites behind HTTPS. Here is a summary of my investigations. Perhaps people here will know to point others to these issues, and also guide me to other solutions if there are any. The issues are essentially browser bugs and UI problems that are easily fixed. So if people here can help vote on the issues, or if they know ways of creating a coalition of people who can help us move the browser vendors in the right direction please let me know. There is just so much that can be done here if these issues are fixed! 1. Identity in the Browser ========================== The main User Interface issue I summarised in the Google Chrome bug 29784 [0]. Read the following with the following picture in mind http://bit.ly/aXDqUs [[ Let us imagine a future secure web where everything is behind https. (Why not? it's cheap now!) So some friend sends you an https link to content on some site. You arrive at the site and the server is set up for optional client certificate usage. Bang! Up pops your browser asking you to select a certificate. Problem: you don't yet know which site you have arrived on! And it is asking you for a certificate. So really what you want to do is click "Cancel" to first check out the site. But then without this patch that @snej is working on, you won't be able to login to the site later to see the classified content - well not without restarting your browser! So one could even go one step further and allow you, the browser user, to select an option that would let the browser to automatically login without certificate on sites that ask for certificates optionally. The location bar would then show a logo for the anonymous user - An icon of a guy with sunglasses perhaps, with anonymous written next to it - that would be a hint to you that you can log in whenever you wants to by selecting the button. If done correctly the certificate selection box, could be designed so that the user understands after that box appearing a few times too often, how he can set this behaviour to be automatically so. This would essentially then have fully integrated identity into the browser at very little cost. ]] You can see on the bug 29784 [0] the fix they are working on. But their work seems to have stalled for the past few months. The same issue was reported to Firefox [0.5]. All browsers have this bugs, but not all have open bug tracking systems.... 2. Logout on the Server ======================= While waiting for the above fix to be implemented correctly, I have been investigation how one could get server side logout to work. Using the return codes described in section 7.2 of the TLS spec I put together the following test server: http://github.com/bblfish/TLS_test/blob/master/src/main/java/net/bblfish/test/SSLTestServer.java This makes it easy to see which browsers implement paragraph 7.2 of the TLS spec. The good news is that this works nicely for Safari (well except that it does not allow one to login anonymously - ie: one always needs to send a certificate) - which is really important because once one chooses a certificate for safari there is no UI way for the user to change it. (ie, Safari really needs the Identity in the Browser fix!) As a result Safari becomes useable again for client side certs, allowing one to change identity, or just to rectify an error in case one has sent a bad certificate. The bad news is that there are issues with Chromium (but they are quite quick to fix things) [1] and Firefox 593066 [2]. Opera also has an issue here. I have not yet tested these browsers on other OSes, or IExplorer. Are there any other tricks I could use for server side logout, people here would know about? Is there anything we can do as a community to get this up on the browser vendors priority list? Thanks in advance, Henry Story http://bblfish.net/ [0] Google Chrome UI issue, where they are working on the beginning of a fix http://code.google.com/p/chromium/issues/detail?id=29784 [0.5] List of UI issues with Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=396441 [1] Google Chrome http://code.google.com/p/chromium/issues/detail?id=54405 [2] Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=593066 Social Web Architect http://bblfish.net/
- [TLS] TLS browser bugs Henry Story
- Re: [TLS] TLS browser bugs Martin Rex