[tor-bugs] #20461 [Applications/Tor Browser]: Ship “static cache” of intermediate CAs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Oct 25 16:39:17 UTC 2016
#20461: Ship “static cache” of intermediate CAs
--------------------------------------+--------------------------
Reporter: nicoo | Owner: tbb-team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by nicoo):
Log of the (asynchronous) discussion about this on Mozilla/#security:
{{{
12:55:46 ⤷ │ ulfr: I wanted to enquire about using TLS
Observatory data to find
│ specific misconfigurations (typically, incomplete
cert chains) that lead
│ to cert errors in Tor Browser (which doesn't cache
subCAs, since that ca
│ be used as a supercookie), and check if some Tor
exit nodes (ab)use that
│ for stealthy MitM
12:56:56 freddyb │ (that's interesting. what wold also be interesting:
a prepopulated subCA
│ cache)
12:57:09 nicoo │ freddyb: Oooh, great idea
12:57:47 ⤷ │ And TLS Obs data should have the most popular-
amongst-broken-servers
│ subCAs
12:57:57 ⤷ │ (Let's Encrypt, anyone?)
13:02:03 │ nicoo hilights GeKo, as it is topically relevant
13:02:15 nicoo │ GeKo: Does this sound like a good/sane idea ?
14:27:43 ulfr │ nicoo: I don't capture that data directly (that
would require a bit of
│ code to detect missing intermediates), but I can
query for certs issued
│ by valid intermediates that have not passed
validation.
14:28:17 ⤷ │ the query gets a bit complicated though
18:01:35 GeKo │ nicoo: why not? might be interesting to look at the
data.
19:47:43 nicoo │ GeKo: I was more asking about pre-seeding the TBB
with a intermediary CA
│ “cache” to avoid spurious cert validation errors
with incomplete chains
│ (and avoid letting users get used to clicking
through those)
19:54:20 ulfr │ or just automate intermediate retrieval using the
AIA extension
20:24:41 nicoo │ ulfr: Wouldn't that be slow, without caching?
20:25:12 ⤷ │ (And with caching, I would assume the timing
sidechannel can be used as a
│ supercookie)
20:39:13 Peng_ │ Downloading an intermediate or two would be kind of
slow -- especially
│ over Tor -- but "untrusted issuer" error pages are
infinity slow.
20:39:52 ⤷ │ Without caching? That sounds painful.
20:40:13 nicoo │ Peng_: And they teach users terrible security
practices, hence why I want
│ to do something about it
20:40:15 ⤷ │ :V
20:46:35 ulfr │ there something to be said for not encouraging bad
practices
20:46:47 ⤷ │ admins should learn to serve intermediates
20:49:18 nicoo │ ulfr: Yes, but I doubt that the TBB userbase is
large enough to push
│ non-broken practices
20:49:50 nicoo │ OTOH, not “fixing” it (from a user perspective)
seems like a security
│ issue to me.
20:49:44 Peng_ │ If Firefox were changed to hard fail instead of
accepting
│ misconfiguration when the intermediate is already
cached... ;-)
20:50:41 Peng_ │ Firefox is already being semi-forgiving and semi-
encouraging bad
│ practices. But TBB can't afford to cache as
generously and is getting the
│ short end of the stick.
-- Tue, 25 Oct 2016 --
06:39:36 GeKo │ nicoo: oh, okay. file a ticket on trac and get the
discussion going?
06:39:54 ⤷ │ it seems worthwhile to think about
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20461#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list