Client authentication on the web is apparently very difficult to do. Many companies and governments are trying to make secure systems, which normal people can still figure out how to use, with varying degrees of luck.
On Planet Mozilla alone, David Eaves has talked about how Canada does it, and Gen Kanai has described how it works in South Korea.
In Denmark, where I live, the government has started on July 1, 2010 to roll out a new system, which they expect to have replaced the old completely by the end of the year. The new system is supposed to be much better than the old. But is it?
TDC Digital Signatur
The old system named TDC Digital Signature (TDC, a tele operator, was the contractor of the system) was a Public Key Infrastructure based on SSL Client Certificates.
The problem with SSL Client Certificates is that they are ridiculously difficult to use in Internet Explorer, and they are much much worse in Firefox.
The prompt to use a client certificate on a website in Firefox is so difficult to understand that I am really puzzled about how the developers could even come up with it!
In order to overcome some of the issues of handling SSL Client Certificates in Firefox, TDC built a system for offloading the certificate handling in the Windows version of Firefox to Internet Explorer, which has much better usability, even if still crappy (Linux and Mac users has to live with the Firefox interface). This however exposed even more bugs in Firefox.
And this description is only for the case where the client certificate is stored and managed within the browser's certificate database, where it is locked to a particular computer and browser. Once you want to go mobile or protect your key from malware, you put your key on a hardware token (like a USB pen). A hardware token is also much easier to understand and thus protect for non-security experts, than the abstract concept of a certificate stored on your computer. But when using a hardware token, the setup in browsers becomes even more complicated.
The conclusion is that even through SSL Client Certificates is a standardized technology supported in all major browsers, it is just not ready for mass usage, sadly.
Because of the big pile of technical problems with SSL Client Certificates, the TDC Digital Signature gained little popularity. I cannot find a reference now, but I believe that at no time more than 10% of the Danish citizen had a certificate at any time during this solution's lifespan. The lack of a broadly deployed and easy to use authentication system has countless times been cited as the most dominating factor in preventing digitalization of the Danish public sector, at the cost of billions.
NemID
When the contract with TDC expired, a new public procurement was made, where BPS in the form of its subsidiary DanID won the contract. PBS is a company responsible for the Danish credit card system and is owned by all Danish banks.
Online banking
Online banking sites world wide has in the past been notoriously IE only. This was also in case in Denmark. They have however improved ... by moving from ActiveX to Java. However the Java solutions have also been the cause of much trouble and technical difficulties. Some bank systems are based on private keys stored on the client in a proprietary format (as opposed to the open SSL Client Certificates) and loaded using Java, some are based on a hardware token generating one time keys to be entered together with a username and password in a Java applet, and yet others based on one time keys on a paper card, also with a username and password in a Java applet.
NemID
The new system from PBS/DanID named NemID (English translation is EasyID) is one solution for all of them. All bank sites and all public sites in Denmark will now use the same login. It is supposed to be much easier to use, and since it is one shared solution, a lot more Danish citizen are expected to get one from their bank, thus allowing for a re-ignition of public sector digitalization.
Now that NemID is out since July 1, what does it look like? Well, you first enter a personal username and password. Next you are asked to enter a specific one time key in the form of a short number from a little credit card sized paper card.
Sounds fair enough? Maybe, but here comes the pile of problems.
Legal issues
DanID won a public procurement for making a Public Key Infrastructure (PKI), and according to DanID themselves, NemID is just that. However many security experts as well as many casual IT people (myself included), fail to ses how a username, password and one time key from a paper card can be a PKI. Instead it sounds like a much simpler Single Sign On solution (SSO).
NemID may be a good solution by itself, but as a PKI, it is rubbish. There are very different security characteristics of a SSO and a PKI, and it is important to understand the differences between them when you deploy them. If a public agency deploys NemID thinking it is a PKI, they risk making a very insecure system.
I don't know why they insist that it is a PKI. They claim that somewhere on a central server, a "private key" is stored for each citizen. They also claim that in a couple of years, you may be able to have your key locally on a hardware token. But until then, all these keys are only stored on the central server. I fail to see how that makes NemID a PKI.
One reason for their claim may be that the original public procurement was for a PKI, and had they delivered a SSO instead (which is arguably what the government actually wanted), they would most likely have been forced to redo the public procurement according to EU procurement law, at the cost of millions and a delay of possibly years. But this is purely my own speculation. Their real reason for calling it a PKI is unknown to anybody but themselves.
Startup issues
Since its launch on July 1, NemID has had some startup problems. First the server was overloaded on day one, and then people discovered they couldn't use it for anything yet as none of the bank sites and public sites had added support for it yet. Also once the ID is ordered, it must be activated for bank sites and for public sites independently, which they failed to tell anyone. Lesson: Do not make a big campaign with TV and newspaper ads before your service is up and running.
DanID also react slowly to technical problems. Some time ago I told them that parts of their sites was only accessible in IE due to a HTTP Content-Type header set to text/plain when it should have been text/html. They fixed it in the spring a year later when the press took up the issue.
Technical issues
Going through a more in depth analysis of NemID as seen by the user, the first thing you see when trying to log in to a public or bank site is that you need Java installed. What? Why can they in 2010 not figure out how to make a simple login form using simple open web standards? What did they think of when they made this? In fact I am not sure if this is even legal. A few years ago a new law demanding use of open standards in the public sector was passed, and a government agency maintains a list of allowed open standards. I don't think Java is on that list.
Ok, so I enable Java and try again. I am now greeted by this dreadful Java Security Warning dialog. Again, what are they doing?!! First a little about the Java dialog itself, which is not related to NemID: If you didn't know it, could you guess what it asks about? I looked it up, and it seems that pressing Run will run the Java applet with full privileges of the user running Firefox on the operating system. That is, full access to all your files and settings. This is not at all obvious from reading the dialog. If you press Cancel instead, the applet will still run, but instead within the normal security sandbox like any other website. This is even less obvious from the dialog.
But enough about Java. I start by clicking Cancel to the dialog, as I see no reason why NemID should access my files. In the previous bank authentication system where it needed to access my key file stored on my computer, I could see why it wants this access, but not here when you are only filling out a simple form of one text input and two password inputs.
Anyway the applet fails to load because I clicked Cancel. Not only does it ask for access to my private computer, it also requires it. Very annoying, very troubling.
I then fire up a fresh Ubuntu virtual machine to test this without potentially compromising my computer. The VM doesn't have Java, so I install the openjdk plug-in. But I am out of luck here. The Java applet just fails to load without any error message. Great. I uninstall openjdk and install sun-java6 instead, and after allowing to run the applet without the sandbox, I am finally allowed to see the login form. Wow, very EasyID.
I have to admit that I had to stop testing NemID at this point. DanID recommends that if you have a Danish online banking agreement, you should wait until you get NemID automatically. The roll out happens from July to December 2010, and I haven't received mine yet.
Security issues
Another troublesome observation is the URLs of the sites where I am supposed to enter my details to log in. None of them (https://login.sikker-adgang.dk and https://netbank.danskebank.dk in my tests) seems to have anything to do with the NemID website (https://www.nemid.nu). So I am basically asked to enter my username, password and one time key at any arbitrary internet address. This would have been fine of course ... if NemID had been a PKI!
So to me, the login pages with the big fat Java security warning and the arbitrary address looks very much like a big scam. And this is quite a problem. How is anyone supposed to spot the real phishing sites when the real sites act as much as possible as a phishing site?
Privacy issues
Finally, NemID is not for public and bank sites only. Any private company can join and use NemID as a login on their site. Today I just read in the newspaper that many private companies are standing in line to be part of NemID. Had NemID been a PKI, I would have no problem with that, because in a PKI the website and the client can do authentication without the entity issuing the client's certificate being involved. With NemID, the Danish government (in the form of their contractor, DanID), can follow me every time I use my NemID on any private company website. This is a serious privacy issue.
Conclution
All in all, I hope that NemID will cause an increase in new and improved public sector online self services, giving fewer trips to a long waiting line at the city hall service office or other public agencies. I believe the basic idea of the solution is good, but I don't think it is used in the right way right now. I am anxious to see what the future brings on this front.
1. Hello Kerim. To start out with, could you give us a little introduction and tell us a little bit about you?
Last comments