Tax-on-web with Debian and Firefox

In Belgium, we can fill out our tax form online on the Tax-on-web site using a smartcard reader and our electronic identity card. Unfortunately, things are rather complicated to set up, partly because the eID authentication is based on SSL renegotiation, a feature which is disabled by default in recent Firefox versions because it can be insecure. It is a bit disappointing that we have to rely on potentially vulnerable technologies to authenticate with our eID, but there is not much choice if you do not want to fill out the paper forms (or are too late, so that the electronic way is the only option).

First we need to make sure the smartcard reader works. I have a Dell Latitude E6400 laptop with a Broadcom smartcard reader which is supported by the ccid driver and required by the pcscd package in Debian. Note that the Broadcom 5880 as delivered by Dell in its Latitude laptops have a buggy firmware by default. You will need to update it by running some Windows tool. More information can be found on the ccid driver website or on the eID website. Note that also Windows is suffering from this problem, so even if you use Windows, you might need to install this update.

If you are using the traditional USB smartcard reader distributed by the government, which is an ACS ACR38, you will need the acr38u driver.

# apt-get install pcscd pcsc-tools libacr38u

To verify that the smartcard reader is working correctly, start up pcsc_scan and insert a smartcard (your eID or even a credit card is fine). Some diagnostic information about the card you inserted should appear automatically in your console. Press ctrl-C to exit pcsc_scan.

Now that the smartcard reader is working, we need to install the middleware and the Firefox plug-in:

# apt-get install beidgui beid-mozilla-plugin

Start up Firefox and open the menu Tools – Preferences. Click on the Advanced section and load the Encryption tab. Now click on Security Devices and click on the Load button. Enter a name (for example beid), and enter the path to the beid pkcs11 module. On Debian Wheezy it is: /usr/lib/libbeidpkcs11.so.3.5.2 . Be sure to check the filename, it might be different if you are using another version. If you cannot find it, try to run in a terminal:

# find / -name "*beidpkcs11*"

This command can also be used on Mac OS X, where the configuration procedure is actually similar to Linux.

To check whether the middleware is working correctly, you can load up beidgui and let it read your eID.

Now because tax-on-web uses SSL renegotiation, which is disabled by default in newer Firefox versions, we need to add an exception to Firefox’ configuration. Type about:config in the URL bar, confirm that you will be careful, and look for the setting security.ssl.renego_unrestricted_hosts. Double click on it, and enter the value ccff02.minfin.fgov.be

Now we need to make Firefox identify itself with version 3.5, otherwise the tax-on-web site will still complain that your browser is unsupported. Install the User Agent Switcher add-on, then in the tools menu, under User Agent Switcher, click on Edit user agents and then on New user agent. Type Firefox 3.5 as description and in the user agent replace Firefox/5.0 by Firefox/3.5 and in the app version 5.0 by 3.5. Now go to taxonweb.be, and then go to the Tools menu and change your user agent to Firefox 3.5. Now you should be able to identify yourself with our eID card. After using the tax-on-web site, do not forget to set your user agent back to the default user agent.

Health insurance CM with eID

The health insurance organisation CM also offers the possibility to log in to its website by the eID. To make it work, you use the same procedure as above, with one difference: the security.ssl.renego_unrestricted_hosts setting should also contain online.cm.be now. You can add multiple hosts by separating them by a comma, so you can set it to ccff02.minfin.fgov.be,online.cm.be

One thought on “Tax-on-web with Debian and Firefox

  1. There is a much easier solution to use the Tax-On-Web service: without all this mess about the card reader: use the printed tokens.

Comments are closed.