When navigating personal-certificate-protected CSAIL websites, Firefox stops repeatedly, asking you to manually "choose a certificate to use as identification."


The Firefox developers changed the default certificate setting from "select automatically" to "ask every time" because some countries issue certificates to all of their citizens, and this would allow people in those countries to be tracked, by name and ID number, without their consent.

Both the impact (only your CSAIL email address and full name are stored in your certificate) and probability (an attacker would have to specifically target and request CSAIL certificates, a rather small population) of this information disclosure vulnerability are quite limited for CSAIL users.


To restore the previous Firefox behavior, open the Firefox preferences dialog (depending on your OS, this is Tools/Options, Edit/Preferences, or Firefox/Preferences) and select the "Advanced" pane, then the "Encryption" tab then change the setting back to "Select automatically".

-- ArthurProkosch - 31 Mar 2008
Topic revision: 17 Jul 2008, UnknownUser

MIT Computer Science and Artificial Intelligence Laboratory


  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology