Re: [TLS] Asking the browser for a different certificate

Martin Rex <> Mon, 29 March 2010 17:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DA5183A6894 for <>; Mon, 29 Mar 2010 10:44:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.219
X-Spam-Status: No, score=-7.219 tagged_above=-999 required=5 tests=[AWL=-0.700, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oxBFvjgce18m for <>; Mon, 29 Mar 2010 10:44:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B43FA3A688B for <>; Mon, 29 Mar 2010 10:44:57 -0700 (PDT)
Received: from by (26) with ESMTP id o2THjLvs016814 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 29 Mar 2010 19:45:21 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Marsh Ray)
Date: Mon, 29 Mar 2010 19:45:20 +0200 (MEST)
In-Reply-To: <> from "Marsh Ray" at Mar 27, 10 11:59:23 am
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Subject: Re: [TLS] Asking the browser for a different certificate
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Mar 2010 17:44:58 -0000

Marsh Ray wrote:
> On 3/26/2010 8:14 PM, Martin Rex wrote:
> >
> > Would the browser be able to
> > tell the server in a ClientHelloExtension "Don't bother sending
> > me a CertificateRequest, because I don't have one", then
> > the server could skip the CertificateRequest message if the
> > application/configuration allows the handshake to complete without
> > client certificate.
> That would be a significant information leak.
> Consider an attacker passively sniffing public wifi in a coffee shop
> near a targeted organization. Now he sees who has his smart card in the
> reader and activated.

To me this sounds extremely farfetched.

The ClientHello also "leaks" the maximum protocol_version that your
client supports, the cipher_suites and compression algs your client
is willing to use.

The reason why a client may be sending that information may be manyfold,
not necessarily a presence of a Smartcard.  A client could implement
a caching of a users decision to present a client cert, e.g. on a
per-server basis, or for a specific amount of time (for the next X hours).

For those users that use SmartCards enabled for TLS client cert
authentication, you will see their entire certificate flying by
in the clear in the regular TLS handshake when they connect
to the TLS server for which they plugged their SmartCard in the
first place.

And would you make your client include a "certificate URL extension"
even when the client does not have a client certificate.  Well, maybe
-- if you are the CIA and ordering your constant daily batch of pizzas.  :)

Maybe you should not use any secure authentication protocols like
Kerberos or TLS if you want to entirely hide that fact, that you possess
secure client credentials.