Client Certificate Selection Prompt

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password.

Internet Explorer’s behavior when prompting for a certificate has changed in IE8, and in this post, I’ll quickly summarize what’s new.

When the server requests a certificate, the user may be shown a prompt dialog asking which certificate they would like to send. URLACTION_CLIENT_CERT_PROMPT (0x1A04) controls the browser’s prompting behavior. By default, the URLAction is set to Enable in the Local Machine and Intranet zones, and Disable in the Internet, Trusted, and Restricted zones. 

When set to Enable:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server
  • If the user has only one suitable client certificate, no prompt is shown, and that certificate is sent to the server
  • If the user has multiple suitable client certificates, the certificate selection prompt is shown

When set to Disable:

  • If the user has one or more suitable client certificates, the certificate selection prompt is shown, and

…in IE6 and IE7:

  • If the user has no suitable client certificates, an empty certificate selection prompt is shown

…in IE8:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

Within the Tools > Internet Options > Security > Custom Level… UI, the explanatory text has been changed. In IE6 and IE7, it reads:

Do not prompt for client certificate selection when no certificates or only one certificate exists.

In IE8,it now reads:

Don't prompt for client certificate selection when only one certificate exists.

So, why was a change made for IE8? It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available.

Savvy readers might be wondering “Why does this URLAction need to exist in IE8? Now, the only difference between Enable and Disable is the behavior when the user has only one certificate... Why not just send that certificate?”

The answer is “privacy.” While the server receiving the certificate doesn’t get the user’s private key, it does get all of the other information that is in that certificate. Such information often includes the user’s full name, and might include their phone number, email/physical address and other personally-identifiable information. If the browser automatically sent a certificate to any site that asked for it, a significant privacy breach would occur.

If the user wants to configure their browser to automatically send a certificate to a non-Intranet zone server, they can add the desired site to the Trusted list, and set the URLAction in the Trusted zone to Enable.

-Eric

PS: At some later time, I’ll probably elaborate on what specifically “suitable client certificate” means, because that question comes up a lot.