Why would the BBC web site always ask for a personal certificate, and how do I avoid giving it away?

Question

After installing a CAcert personal certificate, every time I land on the BBC weather site it asks me to identify myself with a certificate.

Why would any non-malicious web site do that unless I've requested to sign in first? The weather report is visible, so it's not like authentication is needed for any content.
The certificate question is asked every time, and a single mistype would be enough to give them my certificate. Since I don't want that to happen, how do I tell browsers to never identify on this site with a certificate? "Remember this decision" on Firefox does not account for pressing Cancel.

Firefox screenshot: "Choose a certificate to present as identification"

I’m using HTTPS Everywhere.

Have you tried this with another browser? Or perhaps: Clear the entire browser cache, and check whether the behavior persists. I suspect your browser is keeping information that identifies you somehow (a token stored as a cookie or in local/session storage) to display the correct information (e.g. your preferred location to use in the weather service). — Steven Volckaert, Apr 16 '14 at 07:39
Let me guess, the problem disappears when you disable HTTPS Everywhere? (Or just when you disable the BBC option/rule in HTTPS Everywhere) — Adi, Apr 16 '14 at 08:13
i think this is a lack of firefox, you should ask them to implement a "remeber deny" option — Lesto, Apr 17 '14 at 10:08

score 47 · Accepted Answer · edited Jun 16 '20 at 09:49

You shouldn't really be worrying about this, the certificate contains only your public key, which is supposed to be public anyway. The only issue is the privacy concern of giving away the information in your certificate to any site that asks for it.

Summary of the issue:

The BBC weather page has a request to http://www.live.bbc.co.uk.
HTTPS Everywhere is changing the request to httpS://www.live.bbc.co.uk.
The HTTP server at www.live.bbc.co.uk is configured to ask for a client certificate for secure connections.
It's likely that BBC just want to identify their employees in order to show special functionalists in the page (Inline editing of the news articles, corrections, etc.)
Remember: By using HTTPS Everywhere, you're overriding the default behavior of the sites you're visiting. The problem you're having is the result of that. The quickest solution is to disable the HTTPS Everywhere rule/option for BBC.

How did I find this?

I dug in Wireshark a bit when making a request to the weather page, and looked for who's sending me the Certificate Request TLS message. Voilà! (Credit to Daniel Kahn Gillmor for the idea)

BBC_Client_Cert

Why wasn't this message popping before?

Because before you configured your client certificate, Firefox had thought you're not interested in client authentication thing (After all, you had no certificates installed, so no point of giving you the option to choose one). Once you added one certificate, Firefox started thinking "Maybe my human does have a certificate for this site". The certificate can be valid for any number of domain if not explicitly specified. (Note: I'm not sure if it can even be explicitly specified)

How can I make it disappear?

You have a couple of options here. You can either disable the BBC rule in HTTPS Everywhere because t's only partially supported anyway (BBC doesn't officially have HTTPS enabled for normal browsing).

Another solution would be to configure your browser to automatically make the selection for you. From your browser's settings/options/configurations.

enter image description here

Why would any non-malicious web site do that unless I've requested to sign in first?

Convenience. Have a valid certificate? You're automatically logged in once you visit the site.

I want the dialogue to disappear but I do **not** want Firefox to give it a certificate - it can be used for tracking purposes. "Select one automatically" is therefore not the right thing to do. Otherwise very instructive answer. — l0b0, Apr 16 '14 at 09:09
@l0b0 There's nothing else you can do. Firefox will keep popping up asking you choose a certificate as long as the server is requesting one and you have one. Please note that the certificate only contains your public key. If you don't want this to happen, disable the BBC rule in HTTPS Everywhere. — Adi, Apr 16 '14 at 09:10
And else I guess you will have to find another weather website — Lucas Kauffman, Apr 16 '14 at 09:43
"You shouldn't really be worrying about this, the certificate contains only your public key, which is supposed to be public anyway." - this is incomplete, the client certificate may also contain your name, email and location (depending on the CA where you got this certificate from). Some people prefer not to get identified for everything. — Lekensteyn, Apr 16 '14 at 15:18
@Lekensteyn There are indeed privacy concerns. Sadly, there's nothing you can do. You either use separate browsers, tolerate the popups, disable client authentication altogether, or simply accept the current situation. Hopefully, this behaviour will be configurable at some point. At least, some addon/extension will help with that. I've edited my answer to include your response. — Adi, Apr 16 '14 at 15:23

score 0 · Answer 2 · answered Sep 25 '21 at 03:03

0

Someone enabled the "require SSL / Accept client certificate" option in the website controls (IIS Admin panel on windows) - this can be unchecked and still have https / server authentication for non payment enabled websites ie it enables anonymous logon. It was likely a configuration error - long since fixed. I answer this because I had an error and this post came up so I wanted to help another admin fix it faster.

answered Sep 25 '21 at 03:03

a web admin

1

Looking at the other answer and the time the question was asked (2014, where HTTPS where not that common for normal sites) I doubt that it was an error, but more that it was deliberately done as explained by the other answer. – Steffen Ullrich Sep 27 '21 at 04:09