[tor-talk] is Torbrowser more affected by webservers failing to send their complete certificate chain?

nusenu nusenu-lists at riseup.net
Tue Aug 7 23:14:00 UTC 2018

>> With the growing number of sites deploying HSTS, the impact is even bigger.
> While https adoption is related to impact, hsts isn't since it only applies
> once https is visited

did you notice the non-HSTS/HSTS distinction when trying to add an exception?

>> Should Torbrowser ship a few common interm. CAs by default? (like the letsencrypt issuing CAs)
> No. Because when LE gets compromised, then you have
> a million tbb's blindly trusting rogue / stolen certs, mitm, etc,

I'm not saying that interm. certificates should be shipped as root CAs

> If the admin won't fix it, then the user can add it manually.

telling people to manually import/trust certificates is a dangerous advice.
(and I believe most users will fail to do that on an HSTS enabled site)

> If the user isn't keeping state, or carrying cert on usb, that's
> their choice and problem

I disagree on blaming the user for a server side configuration issue


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20180807/765d1499/attachment-0001.sig>

More information about the tor-talk mailing list