[tbb-dev] How does Tor Browser treat locally-installed CA cert?

Tom Ritter tom at ritter.vg
Thu Jan 28 12:54:40 UTC 2016

On 28 January 2016 at 02:51, Linus Nordberg <linus at torproject.org> wrote:
> Tom Ritter <tom at ritter.vg> wrote
> Wed, 27 Jan 2016 10:10:56 -0600:
> | > Another question that I find interesting is if TB could do better
> | > regarding fingerprintability based on what TLS session the browser
> | > accepts.
> |
> | I'm not sure what you mean here, could you elaborate?
> A web server in possession of multiple valid cert chains could serve a
> connecting client one after the other in order to find out what's in the
> clients trust store and what's not. An unusual trust store is a
> potentially strong fingerprint.

It is.... but because TBB rewrites the trust store on every identity,
isn't it unlikely that the client actually _has_ a nonstandard trust
store? It's not like screen size or font fingerprinting where Firefox
gets its cue from the OS and it's persistent...


More information about the tbb-dev mailing list