14 DAY TRIAL // Firefox has a big problem with the way its intermediate certificate cache works because it can be tricked into leaking information to misconfigured servers, basically fingerprinting users even if they're using Private Browsing.
Security researcher Alexander Klink identified the data leak, and according to his evaluation, the issue could allow attackers to identify browsers operating in a sandbox for malware analysis and tell them apart from those used by regular people.
The way this works is that when starting a TLS session for HTTPS, a server that is configured correctly sends a visiting browser the intermediate CA and its server CA. A misconfigured server only sends the server CA and this sometimes happens with Firefox, because, as the researcher points out, both Chrome and Internet Explorer "magically" figure it out and there are no issues there. When the server only sends the server CA, the site will only load if the user already has the intermediate cached.
This problem usually appears when server admins don't implement HTTPS correctly, and it usually ends up in an error in the user's browser.
Private Browsing protections don't matter
Klink then notes that if a user's browser behaves differently depending on the server configuration, there might be a way to put that behavior to use to infer which intermediate certificates are in their cache and to create a user fingerprint by using this information.
In short, the bug would allow a third-party site to send a request, leading Firefox to leak the intermediate CAs from the cache. Not even Private Browsing mode saves users from this vulnerability.
The problem was reported to Mozilla back on January 27, and the company seems to be somewhat reluctant to implement the simplest solution without knowing what impact it would have. "The cleanest solution would obviously be to not connect to incorrectly configured servers, regardless of whether the intermediate is cached or not," Klink writes.
So, the researcher recommends people regularly clean up their profiles by creating fresh ones, cleaning them up from the Firefox UI or by using the certutil command line tool.