Re: [TLS] Asking the browser for a different certificate
Martin Rex <mrex@sap.com> Mon, 29 March 2010 17:44 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA5183A6894 for <tls@core3.amsl.com>; Mon, 29 Mar 2010 10:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.219
X-Spam-Level:
X-Spam-Status: No, score=-7.219 tagged_above=-999 required=5 tests=[AWL=-0.700, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxBFvjgce18m for <tls@core3.amsl.com>; Mon, 29 Mar 2010 10:44:58 -0700 (PDT)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id B43FA3A688B for <tls@ietf.org>; Mon, 29 Mar 2010 10:44:57 -0700 (PDT)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id o2THjLvs016814 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Mar 2010 19:45:21 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201003291745.o2THjKgr017986@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Mon, 29 Mar 2010 19:45:20 +0200
In-Reply-To: <4BAE396B.9090104@extendedsubset.com> from "Marsh Ray" at Mar 27, 10 11:59:23 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 17:44:58 -0000
Marsh Ray wrote: > > On 3/26/2010 8:14 PM, Martin Rex wrote: > > > > Would the browser be able to > > tell the server in a ClientHelloExtension "Don't bother sending > > me a CertificateRequest, because I don't have one", then > > the server could skip the CertificateRequest message if the > > application/configuration allows the handshake to complete without > > client certificate. > > That would be a significant information leak. > > Consider an attacker passively sniffing public wifi in a coffee shop > near a targeted organization. Now he sees who has his smart card in the > reader and activated. To me this sounds extremely farfetched. The ClientHello also "leaks" the maximum protocol_version that your client supports, the cipher_suites and compression algs your client is willing to use. The reason why a client may be sending that information may be manyfold, not necessarily a presence of a Smartcard. A client could implement a caching of a users decision to present a client cert, e.g. on a per-server basis, or for a specific amount of time (for the next X hours). For those users that use SmartCards enabled for TLS client cert authentication, you will see their entire certificate flying by in the clear in the regular TLS handshake when they connect to the TLS server for which they plugged their SmartCard in the first place. And would you make your client include a "certificate URL extension" even when the client does not have a client certificate. Well, maybe -- if you are the CIA and ordering your constant daily batch of pizzas. :) Maybe you should not use any secure authentication protocols like Kerberos or TLS if you want to entirely hide that fact, that you possess secure client credentials. -Martin
- Re: [TLS] Asking the browser for a different cert… Story Henry
- [TLS] Asking the browser for a different certific… Story Henry
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Wan-Teh Chang
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Michael D'Errico
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] Asking the browser for a different cert… Martin Rex
- Re: [TLS] Asking the browser for a different cert… Dale Gustafson
- Re: [TLS] Asking the browser for a different cert… Kyle Hamilton
- Re: [TLS] Asking the browser for a different cert… Bruno Harbulot
- Re: [TLS] Asking the browser for a different cert… Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Kemp, David P.
- Re: [TLS] [POSSIBLE SPAM] Re: Asking the browser … Marsh Ray