[tor-talk] is Torbrowser more affected by webservers failing to send their complete certificate chain?

[grarpamp]

> torbrowser stores/caches less data (including certs?) persistently.

> TLS error page in Torbrowser due to incomplete cert. chain:
> https://irtf.org/
>
> https://www.ssllabs.com/ssltest/analyze.html?d=irtf.org&s=2001%3a1900%3a3001%3a11%3a0%3a0%3a0%3a2c&hideResults=on&latest

> With the growing number of sites deploying HSTS, the impact is even bigger.

While https adoption is related to impact, hsts isn't since it only applies
once https is visited, not for first http connections via legacy links,
lazy browsertyping, scripts, split horizon web content, etc.

> Should Torbrowser ship a few common interm. CAs by default? (like the letsencrypt issuing CAs)

No. Because when LE gets compromised, then you have
a million tbb's blindly trusting rogue / stolen certs, mitm, etc,
and tbb won't ship and users won't update until after the
exploits are wild. At least as it is now they get warned every time.

This is a server admin issue plain and simple.
And perhaps also a CA's vs cert stores issue.

If the admin won't fix it, then the user can add it manually.
If the user isn't keeping state, or carrying cert on usb, that's
their choice and problem. They can just as easily search the
fingerprint, or memorize / create the cert's location, before
hitting accept.

If tbb users really crying over this, tpo, or anyone, could publish
a cert file full of intermediate certs onsite, but probably won't because
it puts them on the hook exploit timewise. So OS, browsers and other
tools only ship / reference the primary cert stores.


Hey IRTF, the test results are embarrasing, especially for an
internet focused ietf internet society group like you, lern2admin.