[tor-talk] is Torbrowser more affected by webservers failing to send their complete certificate chain?
nusenu
nusenu-lists at riseup.net
Tue Aug 7 23:14:00 UTC 2018
grarpamp:
>> With the growing number of sites deploying HSTS, the impact is even bigger.
>
> While https adoption is related to impact, hsts isn't since it only applies
> once https is visited
did you notice the non-HSTS/HSTS distinction when trying to add an exception?
>> Should Torbrowser ship a few common interm. CAs by default? (like the letsencrypt issuing CAs)
>
> No. Because when LE gets compromised, then you have
> a million tbb's blindly trusting rogue / stolen certs, mitm, etc,
I'm not saying that interm. certificates should be shipped as root CAs
> If the admin won't fix it, then the user can add it manually.
telling people to manually import/trust certificates is a dangerous advice.
(and I believe most users will fail to do that on an HSTS enabled site)
> If the user isn't keeping state, or carrying cert on usb, that's
> their choice and problem
I disagree on blaming the user for a server side configuration issue
--
https://twitter.com/nusenu_
https://mastodon.social/@nusenu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20180807/765d1499/attachment-0001.sig>
More information about the tor-talk
mailing list