Fingerprinting Firefox users with cached intermediate CA certificates

[liloman]

Does it software implement something related to this?

https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/

Cheers

[pyllyukko]

No. The problem is that there are so many sites that don't have properly configured certificate chain and it pretty much breaks the internetz if the browsers don't cache 'em ☹️

[pyllyukko]

Very nice post + PoC on the topic though.

Here are the direct links to Mozilla bug tracker:

• 1334485 – Fingerprinting using intermediate CA caching
• 1336226 – gather telemetry on how often the intermediate CA cache is useful to the user

[nodiscc]

This can be mitigated by using an addon that blocks cross-site requests such as uBlock Origin configured in Hard mode - tested working, no cached indermediate CAs are detected.

This can be recommended as part of a refactored Further hardening > Addons README section that was discussed in a previous issue.

[nodiscc]

Recommendation to use cross-site requests blocking added in PR #255

[nodiscc]

The test for intermediate CA leaks is listed in https://github.com/pyllyukko/user.js/#fingerprinting-tests, and there is a workaround described in https://github.com/pyllyukko/user.js/#add-ons (block cross-site requests with uBlock Hard Mode - RequestPolicyContinued also works, but it's harder to manage 2 overlapping addons).

I think this can be closed.