[tor-talk] is Torbrowser more affected by webservers failing to send their complete certificate chain?
nusenu-lists at riseup.net
Tue Aug 7 23:14:00 UTC 2018
>> With the growing number of sites deploying HSTS, the impact is even bigger.
> While https adoption is related to impact, hsts isn't since it only applies
> once https is visited
did you notice the non-HSTS/HSTS distinction when trying to add an exception?
>> Should Torbrowser ship a few common interm. CAs by default? (like the letsencrypt issuing CAs)
> No. Because when LE gets compromised, then you have
> a million tbb's blindly trusting rogue / stolen certs, mitm, etc,
I'm not saying that interm. certificates should be shipped as root CAs
> If the admin won't fix it, then the user can add it manually.
telling people to manually import/trust certificates is a dangerous advice.
(and I believe most users will fail to do that on an HSTS enabled site)
> If the user isn't keeping state, or carrying cert on usb, that's
> their choice and problem
I disagree on blaming the user for a server side configuration issue
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the tor-talk