[tbb-dev] How does Tor Browser treat locally-installed CA cert?

Linus Nordberg linus at torproject.org
Thu Jan 28 08:51:52 UTC 2016


Tom Ritter <tom at ritter.vg> wrote
Wed, 27 Jan 2016 10:10:56 -0600:

| > Another question that I find interesting is if TB could do better
| > regarding fingerprintability based on what TLS session the browser
| > accepts.
| 
| I'm not sure what you mean here, could you elaborate?

A web server in possession of multiple valid cert chains could serve a
connecting client one after the other in order to find out what's in the
clients trust store and what's not. An unusual trust store is a
potentially strong fingerprint.

Are there other attacks for using the trust store as a fingerprint?
Are there ways for TB to protect against any of these?


More information about the tbb-dev mailing list