Browser slow to load new tabs when Nitrokey attached

I noticed that my browser lately sometimes gets very slow when opening a new tab and loading a new page. So slow in fact, that the whole browser window is stuck until the site finished loading completely. It has been sporadic and only today I was able to pin point the likely reason: the attached Nitrokey 3.
Upon inserting the key to my Fedora 41 machine, Firefox and Chromium start behaving like described. When I execute gpg --card-status to load the smartcard from the Nitrokey, the behavior stops. While the new page is loading, the green LED in the Nitrokey is flashing rapidly. As soon as the LED goes out, the new site finishes loading. After executing the GPG command, the LED does not turn on anymore while loading new pages.

Any ideas on what is happening here?

Further observations:
After inserting the Nitrokey and executing gpg --card-status I get

pcscd[6092]: 00014983 …/src/winscard.c:281:SCardConnect() Error Reader Exclusive

in my syslog when I open a new tab and load a web page in Firefox.
Vice versa when I insert the Nitrokey, open a new tab and load a web page first and then execute gpg --card-status, it fails with

gpg: selecting card failed: No such device

The troubleshooting section in the NK3 documentation did not help unfortunately. But with pcsc_scan I was able to verify, that using gpg --card-status sets the NK3 CCID card state to Card inserted, Exclusive Mode while Firefox sets it to Card inserted, Shared Mode.

Did this happen before v1.8.0? v1.8.0 added the PIV application and for some reason, some browsers try to access it leading to the behavior you described. If you don’t use PIV, you can easily fix this by disabling the PIV application:

$ nitropy nk3 set-config piv.disabled true

Yes, it did. I tried disabling the PIV application but it does not make a difference. The browser continues to put the smartcard into shared mode, blocking gpg to access it and new page loads are still slow.
For some reason putting disable-ccid in ~/.gnupg/scdaemon.conf doesn’t make any difference unfortunately. To my understanding this is supposed to fix this. The blocking can be circumvented by enabling pcsc-shared but that doesn’t fix the slow page loads.

I see. In some Firefox setups, there is a p11-kit-proxy module that tries to connect to Nitrokeys. You should find it under Settings → Privacy & Security → Security Devices. Removing it from that view could also fix the problem.

That seems to be it! At least Firefox is no longer affected, didn’t try Chromium yet. To make it permanent, I had to edit the opensc.module config of p11-kit as described here: https://support.mozilla.org/en-US/questions/1412508 Otherwise the module was added again when starting a new Firefox instance.
Thanks!

That kind of explains it, but does not fix it. I understand that NSS (the library behind Smartcard support) tries to enumerate the devices - the question is - why is it that slow?

If you install nss and its command line tools is running certutil -U also that slow?

Good question. I’ve never been able to reproduce the problem locally so I don’t know what exactly is going on there.

1 Like

I have no idea what would be a fast or slow run of certutil but here are timings for executions with and without the Nitrokey attached:

$ time certutil -U -d test

slot: NSS User Private Key and Certificate Services

token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: NSS Internal Cryptographic Services

token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
certutil -U -d test 0.01s user 0.00s system 52% cpu 0.027 total

$ time certutil -U -d test

slot: NSS User Private Key and Certificate Services

token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: NSS Internal Cryptographic Services

token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

slot: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00

token: OpenPGP card (User PIN (sig))
uri: pkcs11:token=OpenPGP%20card%20(User%20PIN%20(sig));manufacturer=OpenPGP%20project;serial=xxxxxx;model=PKCS%2315%20emulated

slot: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00

token: OpenPGP card (User PIN)
uri: pkcs11:token=OpenPGP%20card%20(User%20PIN);manufacturer=OpenPGP%20project;serial=xxxxxx;model=PKCS%2315%20emulated
certutil -U -d test 0.01s user 0.02s system 1% cpu 2.269 total

1 Like