Re: TLS logout in Firefox

Fri, 12 Mar 2010 21:12:50 -0800 

On 2010/03/11 09:37  PST, Robert Relyea wrote:
> On 03/11/2010 05:59 AM, Anders Rundgren wrote:
>> Hi,
>> I can't help it, but TLS client cert auth is really a very crappy system
>> when used in browsers. 

Anders, you've expressed that opinion before in this forum many times.
You're entitled to that opinion.  But the truth is that any badly
implemented scheme is crappy, regardless of the underlying technology.

>> I was a little bit surprised once when I logged
>> on to the Swedish tax department, then did logout, and returned still
>> being logged in!

A server that logs you out and doesn't clear your TLS session from its
server session cache is a badly designed server.  That's not a fundamental
flaw in TLS or in browsers, and could also happen with cookies or any other
scheme for caching session information.  So don't blame TLS or browsers for
a bad server implementation.  You won't earn any respect here when you do so.

>> Microsoft "solved" this years ago by offering a
>> document.execCommand('ClearAuthenticationCache')
>> non-standard extension.
>>
>> What non-standard quirky thing works in Firefox?

> The Microsoft thing is also non-standard. (and also not well documented
> -- which version of IE did it show up in?). You are right, we need a way
> to clear out the SSL cache. I know NSS provides a way to clear out the
> whole SSL cache. Ideally we should have a way to clear out just the
> 'current' SSL session without requiring new handshakes on connections
> with other servers.

Well, the problem is this vague notion of the "current SSL session".
You see a page.  It may have frames, each of which comes from a different
https server, and each frame may have multiple images or other components,
each of which comes from a different https server.  Your browser has an SSL
session established with each one of those servers.  When the user says "I
want to clear my current session", which of those SSL sessions
does he mean?

> Anyway if PSM does not expose a jave script method for accessing the
> clear cache command, I'm sure kai or myself would be happy to review a
> patch which does.

The crypto object offers a logout method that does it.
http://mxr.mozilla.org/security/source/security/manager/ssl/src/nsCrypto.cpp#2875

I see no browser code that calls SSL_InvalidateSession
http://mxr.mozilla.org/security/ident?i=SSL_InvalidateSession
-- 
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to