Friday, December 11, 2015

Why did the Doubleclick ad network need client certificates?

Why did ad network Doubleclick ask for digital client authentication certificates?

For several hours December 8, Google's Doubleclick ad network requested client authentication certificates when browsing to web properties that contained Doubleclick advertising.

In the physical world, you often conduct business with others face-to-face. If you do not personally know someone, you might rely on a trusted third party to vouch for the person's identity. That trusted third party might be a mutual friend, or it might be a government office that issues identification documents (passports, driver's licenses, state identification cards, school IDs, and the like).

Digital authentication certificates are the online equivalent of an identification card, using mathematical encryption algorithms to ensure that only the proper owner of a certificate is able to use it.

Generally, digital certificates are associated with a web server: you want to know that you are buying from and not from You don't have to provide your own certificate, because the web server (much like a brick-and-mortar store) is open to all visitors. In this case however, Doubleclick asked your browser for a digital certificate anyway.

The most likely cause is that the ad network inadvertently enabled mutual SSL authentication (though there has been no public confirmation of this). For home users, the only effect would generally be a pop-up message asking the user to install a certificate, as client authentication certificates are not common among home users.

Home users generally do not have a client certificate

Chances are this was an honest mistake, but it got me thinking: could the same approach be used deliberately for ill gain?

Many enterprises though do have client authentication certificates, so the user would instead see a popup asking them to select a certificate to use. Depending on the particulars of a company, these certificates might have contained email address, client hostnames, issuing server FQDNs, and (in Windows shops) information about Active Directory org unit structure. Sufficient information of this nature could be of minor benefit to an adversary conducting research on a target.

Deliberately using client authentication certificates to track users or gain insight into a corporation's network structure is hardly stealthy. I can't really imagine it being worthwhile given how noisy it is ... but still, it makes the creative juices flow.

Have any readers played with clever ways to use or abuse client authentication certificates?

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at), or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.