[tor-talk] [Tails-dev] TAILS (Tor Linux distribution) contains extra root CAs ?

intrigeri intrigeri at boum.org
Fri Oct 18 12:49:37 UTC 2013


Anonymous Remailer (austria) wrote (17 Oct 2013 17:58:39 GMT) :
> I have a question:

@OP: first, it seems you have cross-posted this to at least tor-talk,
tails-dev and Full-Disclosure, without making it clear with an
explicit Cc:. This will painfully lead to various unlinked discussions
and will be a mess for us to address this question. So, please don't
do that next time, thanks in advance :)

I'm setting I-R-T and References headers to at least avoid breaking
the thread on tor-talk and tails-dev.

> Tor Browser Bundle - Firefox ESR 17.0.9 (LATEST TOR)
> Compared to: Iceweasel 17.0.9 (LATEST TAILS Linux distribution)

> To be found in Tails (not found in TBB), some additional certificates:

Thanks for carefully auditing this aspect of Tails.

> DigiCert Inc -> DigiCert High Assurance EV CA-1
> DigiCert Inc -> DigiCert High Assurance CA3
> GeoTrust Inc. -> Google Internet Authority G2
> StartCom Ltd. -> StartCom Class 2 Primary Intermediate Server CA
> The Go Daddy Group, Inc -> Go Daddy Secure Certification Authority
> The USERTRUST Network -> Gandi Standard SSL CA
> All these are listed as "Software Security Device" certificaties.
> The others are "Builtin Object Token" and baked in the browser.

Tails ships NSS 2:3.14.3-1~bpo60+1 from Debian squeeze-backports.

If you are interested in investigating this any further, next step is
to compare with the version of NSS that is shipped by (or linked into,
or something) the TBB.

> Question is: did TAILS added some extra CA's ?

No, we don't add any CA to Tails.

  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

More information about the tor-talk mailing list