Privacy and freedom
Tor Browser under Linux
The browser is available for different platforms (Android, macOS, Linux and Windows). Here we look at the settings under Linux (Ubuntu).
If you really want to use the Tor Browser to access sites that require "client authentication" with a certificate, you need to import a certificate. In the example, we want to access the URL "https://vc.edv-workshops.com" (the address does not exist).
If you have not imported a certificate, the error message "400 Bad Request - No requirred SSL certificate was sent" or "403 Forbidden" will appear when you try to access the address.
Importing certificates
Behind the Tor Browser is a Firefox ESR that uses its own certificate store.
If you try to import a client certificate, you will get the error message "The PKCS#12 operation failed for unknown reasons".
Solution: Deactivate the "Private Mode".
Tor Browser peculiarities that are exciting for the client certificates:
- The Tor Browser leaves certificates in memory and does NOT use the certificate database (cert9.db). This means that once imported certificates are discarded when the browser is closed.
- The Tor Browser starts in "pirate mode" by default. The "Private Mode" prevents the installation and use of "client certificates".
So there are two hurdles to setting the Tor Browser to "client authentication". Let's start with the "Private Mode".
Tor Browser - Disabling "private mode" to install client certificates into the Tor Browser
As long as the "Private Mode" is activated, "client certificates" cannot be imported. Therefore open the "Preferences" (2) via the "Hamburger menu" (1).
In the area "Privacy & Security" (3) you will find the item "Always use private browsing mode" (4). This option is activated by default.
Deactivate this option.
The Tor Browser will then need to be restarted. Click "Restart Tor Browser now".
After restarting, you can install the client certificate as you would in Firefox.
Import certificate in Tor Browser on Linux
To do this, click on the "Hamburger menu" (1) and then on Preferences (2).
Change to the "Privacy & Security" area (3) and search for "View Certificates..." at the bottom. (4).
In the "Certificate Management" dialog, switch to the "Your Certificates" tab (5) and then click on "Import..." (6).
Select the certificate file (*.p12) that you have previously saved (7) and then click on "Open" (8).
Enter the password of the certificate file that you received from your service provider (9) and then click OK (10).
The certificate will now be imported "without error message" (11).
Click on OK (12). The corresponding page can now be opened.
{xtypo_info}Please note that closing the Tor Browser will throw out some settings and the imported certificate as well.{/xtypo_info}
Calling the page (with imported certificate)
If the certificate is imported...
... the Tor browser also offers the certificate for authentication.
The website is displayed as expected.
Set the Tor Borwser to use its certificate store
To set the Tor Browser to use the local certificate database (cert9.db), you need to change the configuration.
{xtypo_alert}Please note that changing the setting (security.nocertdb from true to false) is not recommended. This is for security and anonymity. Changing the certificate store could cause security gaps!{/xtypo_alert}
Enter the URL about:config
in the address bar (1) and then click "I accept the risk!" (2).
In the settings, search for the entry "security.nocertdb" (for this I only enter "nocertdb" in the search field) (3). The matching entry appears, which is currently set to "true" (this tells the Tor Browser not to use the local certificate database).
Change the entry by using the right mouse button and the "toggle" item or by double-clicking on the "false" entry (4).
The entry must be set to "false" (5).
{xtypo_info}Information: The entry is not yet finished. After restarting, the Tor Browser will switch back to storing it in memory.{/xtypo_info}
Problems with the client certificates
If the client certificates cannot be used, this is usually due to "private mode".
If I deactivate the "Private Mode", the certificate is available and can be used.
OKAY. It is said, it's not recommended, but it works. Please form your own opinion about client certificates with the Tor browser.