Re: [TLS] Asking the browser for a different certificate

[Martin Rex <mrex@sap.com>]

Marsh Ray wrote:
> 
> On 3/26/2010 8:14 PM, Martin Rex wrote:
> >
> > Would the browser be able to
> > tell the server in a ClientHelloExtension "Don't bother sending
> > me a CertificateRequest, because I don't have one", then
> > the server could skip the CertificateRequest message if the
> > application/configuration allows the handshake to complete without
> > client certificate.
> 
> That would be a significant information leak.
> 
> Consider an attacker passively sniffing public wifi in a coffee shop
> near a targeted organization. Now he sees who has his smart card in the
> reader and activated.


To me this sounds extremely farfetched.

The ClientHello also "leaks" the maximum protocol_version that your
client supports, the cipher_suites and compression algs your client
is willing to use.

The reason why a client may be sending that information may be manyfold,
not necessarily a presence of a Smartcard.  A client could implement
a caching of a users decision to present a client cert, e.g. on a
per-server basis, or for a specific amount of time (for the next X hours).

For those users that use SmartCards enabled for TLS client cert
authentication, you will see their entire certificate flying by
in the clear in the regular TLS handshake when they connect
to the TLS server for which they plugged their SmartCard in the
first place.

And would you make your client include a "certificate URL extension"
even when the client does not have a client certificate.  Well, maybe
-- if you are the CIA and ordering your constant daily batch of pizzas.  :)

Maybe you should not use any secure authentication protocols like
Kerberos or TLS if you want to entirely hide that fact, that you possess
secure client credentials.


-Martin