A special client certificate will be created on first start-up (after
installation resp. update). This certificate can be used to identify and
authenticate a user to web sites that ask for it. No personally identifiable
information is included in the certificate; it only identifies a user account,
not a physical person. Any binding between the user account(s) and an actual
person would need to be established out-of-band. This is similar to using
email addresses for identification and authentication purposes (an established
practice for most sites that offer services to the public).
The client certificate will be signed by a fake CA. This allows servers to
specifically ask for the client certificate created by Browse (by presenting
an accepted CAs list with the fake CA in it) while preventing confusing
Select client certificate pop-ups for other browsers. Publishing the CA
private key is not a risk because it's only used to influence the selection
of the client certificate, not for any kind of trust decision.
One aspect that still needs some consideration are XSS (cross-site scripting)
attacks. Content from a third party website could cause the browser to connect
to a web site using SSO with the client certificate. The browser would
automatically present the certificate to the server and thus potentially
authorise any action that the remote site tries to trigger.
Additional dependencies:
- openssl executable
- certutil and pk12util executables
Signed-off-by: Sascha Silbe sascha-...@silbe.org
---
browse-sso-pseudo-ca.cert.pem| 20 +
browse-sso-pseudo-ca.privkey.pem | 27
cert8.db | Bin 65536 - 65536 bytes
key3.db | Bin 0 - 16384 bytes
secmod.db| Bin 0 - 16384 bytes
webactivity.py | 85 +
6 files changed, 122 insertions(+), 10 deletions(-)
diff --git a/browse-sso-pseudo-ca.cert.pem b/browse-sso-pseudo-ca.cert.pem
new file mode 100644
index 000..fd9691a
--- /dev/null
+++ b/browse-sso-pseudo-ca.cert.pem
@@ -0,0 +1,20 @@
+-BEGIN CERTIFICATE-
+MIIDQjCCAiqgAwIBAgIJAOyLmiUICdRkMA0GCSqGSIb3DQEBBQUAMB8xHTAbBgNV
+BAMTFEJyb3dzZS1TU08tUHNldWRvLUNBMB4XDTExMDEzMTE4MDMyMVoXDTM4MDYx
+NzE4MDMyMVowHzEdMBsGA1UEAxMUQnJvd3NlLVNTTy1Qc2V1ZG8tQ0EwggEiMA0G
+CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHbsal0Ib96+Dg9v8zmGQwtczFOLyd
+J2s5ifwF1VuUDVmm47ooDgycc6i6ULR3AoSOMu3/jvFCT5uV/wZq7sXvq2LUmiJ8
+W/fNbT9GaBoAphBoBalqrTsDROpZXsPkdkm5eN1ZtLeDDoGCX8+fYeqo61Hv2fSh
+ee7DloCYZ7TvYT0+W2hBUOvf7MFEEl/8p8/FyevB6F9Qs0RCinbUwVDdlg961Sj6
+zEa7GzgFNK1UdiyY5iXthYFdQVW1MPCgNmaIOjelMfy9YOwQv4Bs6Z4Zisi4Y0U8
+lChunySRgtckVtJfrSgGoPbT4UuLBrwtP9G7WmdOb1gv3TC9KHaZnDJvAgMBAAGj
+gYAwfjAdBgNVHQ4EFgQU2tNCUr0YkKsk+MImV5O794MKspUwTwYDVR0jBEgwRoAU
+2tNCUr0YkKsk+MImV5O794MKspWhI6QhMB8xHTAbBgNVBAMTFEJyb3dzZS1TU08t
+UHNldWRvLUNBggkA7IuaJQgJ1GQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUF
+AAOCAQEAThyMLpwfu/9UKn6nBRgFdTTmZ2VRJARtiXkT0hPe3zHKSLUKmSjxhTSN
+zcM7R+Dx3Wi2i0w8fNQcxtYima2HZQTKT4qhCPrggkXxgtnolPQ4yrFg+4DWxGFa
+Ng6uajGJmcnzt5Q+0esaxohc79caELs7Y8yzp/JuZgnXfcKYCVAha8Cg6T5e+eZo
+7XJHJPRIAuvgqobaQpX9iB8jace1UVf0h0ftnZ6FgZMjvtjONl6TqQrOWgEA3Yzb
+7pO8fVfOlEtwQzKY5Ji+aqvStM/r7/B6dAIljqsqlnhVenlWzQDKpLa4VeA5/xaE
+C8enZzxEi1IG76bB9dIELyKezcfIyQ==
+-END CERTIFICATE-
diff --git a/browse-sso-pseudo-ca.privkey.pem b/browse-sso-pseudo-ca.privkey.pem
new file mode 100644
index 000..64c135a
--- /dev/null
+++ b/browse-sso-pseudo-ca.privkey.pem
@@ -0,0 +1,27 @@
+-BEGIN RSA PRIVATE KEY-
+MIIEpQIBAAKCAQEAx27GpdCG/evg4Pb/M5hkMLXMxTi8nSdrOYn8BdVblA1ZpuO6
+KA4MnHOoulC0dwKEjjLt/47xQk+blf8Gau7F76ti1JoifFv3zW0/RmgaAKYQaAWp
+aq07A0TqWV7D5HZJuXjdWbS3gw6Bgl/Pn2HqqOtR79n0oXnuw5aAmGe072E9Plto
+QVDr3+zBRBJf/KfPxcnrwehfULNEQop21MFQ3ZYPetUo+sxGuxs4BTStVHYsmOYl
+7YWBXUFVtTDwoDZmiDo3pTH8vWDsEL+AbOmeGYrIuGNFPJQobp8kkYLXJFbSX60o
+BqD20+FLiwa8LT/Ru1pnTm9YL90wvSh2mZwybwIDAQABAoIBAFowqLl4MnRG5i4W
+xZbJxhWZQf+3BuVzXDRrSIRC1uV/nBmzRw6yO9XNIHMR6Gshwlykf6lhNY4tfkk5
+See2D+GxekJ3aj0fQlOuojzu+0Nr1mOUm+dYbCWwVuMPzjtVm0W7eS8GYS9tsfgJ
+6FVF7N9zfFyiDtWv1OCzAXjq/ZJ7c+j1AsT0Tb9TnVO9jvwKoJa54LV6LIUf98+n
+8czPaZadpGy4s7BoZ3L+yt6odnysmMs+98hpOj7rg2uGSrnU1IaKkp7CdjdIaBq4
+3vBZ8RsNlW5wa0WSQSj0hOUBn+2moJA1qUxmblkDtmOi1bRYmqPWHyuiOEUlnQM8
+ogmAfDECgYEA+Op577svjuz1o+EK8C/J87q976ZNGRWE2KwUT3O6WIQNgqY9RtF8
+4aZmkbGx0dFnMkGfW+TGXFcD3u8Hn9vP1ZdFhbP2hxdD1IF75U5D78IT0/eOfvFr
+eCkbzsoL4tsxt40Ebv8KQrubAGbShVdwxHTKCfltWZFFGnxyuvNCsSMCgYEAzRvH
+zWWb+c90Ah1v7XrvIRSCcfbaz+/tO6/kgxGezDYpHQXRUdXe2ULhRcNWuheQN7iF
+LZQqWS07bCzqkfH1f1fjh+aDKQBafjuyJwDJxf/+qkwavcbsB4Ac7fFIgrmwAx07
+2/WbjSTrYTUWpReSkCpY2dYBofYTiJbmBfLs/EUCgYEAigLv4uTlhJiLxfZz6yKE
+Fdg3kZWib8MHql8Wz8q5ynRFTWhA13A1jqOFgUiF8HDrh+jso7Xf6bjxU30yvAbT
+YHkEOhLDILnciQnWGRjhACGafs9muam/zZr1aR2Lo5enJD9S8vwDw2ZjlcBs/zOx
+OawLjaY3ZA7wwrO3pUJVewMCgYEAuaBaw1kiQIOvyfo6QgLwSE/3foyam3XYjhwy
+Ayz/OnIJ42pQdm/Ir3gHyMtwwhpxOvyUCxv895goH07HPC5usEEqeuPz8DeRroz4