Expanding Client Certificates in Firefox 75

Starting in version 75, Firefox can be configured to use client certificates provided by the operating system on Windows and macOS.

Background

When Firefox negotiates a secure connection with a website, the web server sends a certificate to the browser for verification. In some cases, such as corporate authentication systems, the server requests that the browser send a certificate back to it as well. This client certificate, combined with a signature from the private key corresponding to that certificate, allows the user to authenticate to the website.

These client certificates and private keys are often stored in hardware tokens or in storage provided by the operating system.

Using Firefox to access a client certificate stored on a hardware token typically involves loading a shared library written by either the vendor of the token or another third party into Firefox’s process. These third party libraries can cause stability issues with Firefox and are concerning from a security perspective. For instance, a vulnerability in one of these libraries can potentially put Firefox users at risk.

Alternatively, Firefox can use client certificates that have exportable keys if they are manually saved to a file and then imported into a Firefox profile. Though this storage mechanism can be protected by a password, this option increases the potential for a private key to be compromised. Additionally, this method does not work at all for unexportable keys.

A New Approach

To address these issues, we have developed a library that allows Firefox to interface with certificate storage provided by the operating system. Rather than loading third-party libraries to communicate with hardware tokens, Firefox can delegate this task to the operating system. Also, instead of forcing the user to export client certificates and re-import them into their Firefox profile, Firefox can look for these certificates directly. In addition to protecting private keys, this new mechanism allows Firefox to make use of client certificates with unexportable keys.

Because this library is entirely new, we took the opportunity to select an implementation language that would allow us to access the low-level operating system APIs we needed while enforcing strong safety properties. Rust was the obvious choice to fill those needs.

Availability

This library is shipping as part of Firefox Desktop on Windows and macOS, starting with version 75. To enable it, set the about:config preference “security.osclientcerts.autoload” to true.

For users running various flavors of Linux, the OpenSC project (https://github.com/OpenSC/OpenSC/wiki) can provide similar functionality.

We expect this feature to be of great benefit to our enterprise users who have previously gone to great lengths to configure Firefox to work in their environment.