New browser capabilities and features are designed to improve the user experience or compatibility with technologies.
Sometimes, these features may also be used for shady activities such as user tracking.
One of the latest of these activities can be used to fingerprint Firefox users using intermediate CA caching.
To break it down into a single paragraph: Firefox caches intermediate CAs to speed up the loading of sites. These cache entries can be retrieved by sites, and it may also reveal information about the connecting user. Lastly, sites may use the caching to have Firefox users visit a unique set of intermediate CAs for tracking purposes.
Firefox Fingerprinting using intermediate CA caching
Alexander Klink, who notified Mozilla about the issue, created a proof of concept site that tests the browser’s intermediate CA cache against 326 different intermediate CAs.
You can run the test by visiting this site. Basically, what it does is try to load images from servers that are misconfigured. If the image loads, Firefox cached the intermediate CA. If it does not load, no caching occurred.
The technique lists the intermedia CAs the user visited in the past. While the information is not linked to a specific site all the time, there are situations where this is the case.
Klink notes for instance that a cached Deutsche Bundestag CA (German Parliament CA) indicates strongly that the user is probably located in Germany, or at least in a German speaking country, and interested or involved in politics.
While the information that an attacker may gather from checking intermediate CA caching is limited, it may be used in conjunction with other fingerprinting techniques.
Also, as mentioned earlier, it may be possible to plant a set of cached intermediate CAs in the Firefox cache for identification purposes. Firefox uses the same cache for regular and private browsing sessions.
Mozilla is aware of the issue but has not made a decision yet as to what to do about it. The organization plans to gather telemetry data on intermediate CA caching, especially how often it is useful to users.
Our Firefox privacy and security preferences listing offers a way out, but it may impact your browsing experience. Check out entry 1220 on the page. Basically, what you need to do is create the Boolean preference security.nocertdb and set it to true.
- Type about:config in the Firefox address bar and hit the Enter-key.
- Confirm that you will be careful if a warning prompt appears.
- Right-click in the main area, and select New > Boolean.
- Name the Boolean security.nocertdb.
- Set it to true.
Note that you need to restart the Firefox web browser after adding the preference. You will notice that the test will no longer identify the majority of intermediate CAs. The count dropped from more than 50 to 2 after I made the change on a test system.
You can undo the change at any time by setting the preference to false (double-click it), or by right-clicking on the preference and selecting reset.
Additional details are provided by Alexander Klink at the Shift or Die blog.