Intermediate certificate fingerprinting is unique to Firefox.
To make a successful HTTPS connection, a browser needs to be able to build a chain from the website’s SSL certificate to the root CA certificate. Intermediate certificates make up the middle of this chain. There will always be at least one of them, but there can be more.
The chaining process is straightforward if the website has configured its server properly and directly sends all the necessary Intermediate certificates to the browser. But missing, or otherwise misconfigured intermediates is one of the most common HTTPS configuration errors.
To prevent the web from being a mess of certificate errors, browsers came up with ways to deal with those misconfigurations. Firefox does this by building a local cache of Intermediates it receives from properly configured sites. It can then look to that cache for the proper certificate when making other connections.
There are, however, a couple of downsides to Firefox compensating for missing Intermediates. For one, it creates the illusion that a misconfigured site is working properly. An inexperienced server admin may not realize that their site’s HTTPS connection is only working properly because of his browser’s cache.
The other downside is that a researcher has found a way to fingerprint users based on the uniqueness of their specific cache.
This fingerprinting technique works by loading resources from a variety of misconfigured websites which don’t have properly configured certificate chains, each website using certificates from different CAs. If the resource can be successfully loaded, it means that your Firefox browser already had the needed Intermediate(s) in its cache. If it can’t be loaded, Firefox didn’t make the HTTPS connection because it did not have the Intermediate. Which Intermediates were and were not cached can then be recorded and saved, and if the data is unique enough, it can build a unique fingerprint.
There are loads of CAs out there. You likely know the big ones like Symantec, Comodo, and GoDaddy. But do you know HARICA? Also known as the Hellenic Academic & Research Institutions Certificate Authority, which serves Greece’s academic community? No?
These niche CAs serve specific regions, government offices, and other specialized communities. They have root certificates residing in millions of computers across the globe, even though it’s unlikely most users will ever encounter one of their certificates.
So while having the cached Intermediate for any of Symantec’s roots may not do much to uniquely identify you, the Intermediates for HARICA of Hongkong’s Postal service can.
Alexander Klink, who created this technique, wrote on his blog, “certain CAs have customers mostly in one country or region, or might have even more specific use-cases which lets you infer even more information − i.e. a user who has the »Deutsche Bundestag CA« cached [Ed: The Bundestag is one of Germany’s legislative bodies, like the US House of Representatives] is most probably located in Germany and probably at least somewhat interested in politics.”
Klink noted some of the different uses for the technique, including linking a user to a Private Browsing session (since they share the same cache) and detecting if the client device is a malware analysis sandbox, “which would probably have none or very few of the common intermediates cached.”
Unlike other browsers, Firefox does not perform AIA fetching, which uses embedded information in the server’s certificate to know where to get a copy of the Intermediates needed. Ironically, Firefox avoided implementing AIA fetching because it has its own privacy downsides, and instead opted to use a cache which made the browser vulnerable to this fingerprinting technique.
Google Chrome uses AIA fetching which renders it immune to this technique. Because Chrome can simply download the needed Intermediate during the connection, it isn’t possible to build a list of what Intermediates it has previously encountered.
Klink built a proof of concept which allows you to see this new technique in action (You will, of course, need to visit the page in Firefox). The test looks for 325 different Intermediate certificates.
Earlier this year, Firefox implemented a “font whitelist” to combat a fingerprinting technique which tried to identify you via your computer’s supported fonts.
Firefox developers noted that defending against this new Intermediate caching fingerprinting technique may not be so easy, as it would likely require reducing its functionality or disabling the cache altogether. For now, they are not planning any changes.
Researchers from Lehigh University in Pennsylvania recently created a fingerprinting method that can uniquely identify your computer from its graphic rendering capabilities, allowing tracking across different browsers. Fingerprinting methods are becoming increasingly complex, often relying on hardware/software capabilities and settings to identify you without even needing to look at your specific habits or browsing history.