> torbrowser stores/caches less data (including certs?) persistently. > TLS error page in Torbrowser due to incomplete cert. chain: > https://irtf.org/ > > https://www.ssllabs.com/ssltest/analyze.html?d=irtf.org&s=2001%3a1900%3a3001%3a11%3a0%3a0%3a0%3a2c&hideResults=on&latest
> With the growing number of sites deploying HSTS, the impact is even bigger. While https adoption is related to impact, hsts isn't since it only applies once https is visited, not for first http connections via legacy links, lazy browsertyping, scripts, split horizon web content, etc. > Should Torbrowser ship a few common interm. CAs by default? (like the > letsencrypt issuing CAs) No. Because when LE gets compromised, then you have a million tbb's blindly trusting rogue / stolen certs, mitm, etc, and tbb won't ship and users won't update until after the exploits are wild. At least as it is now they get warned every time. This is a server admin issue plain and simple. And perhaps also a CA's vs cert stores issue. If the admin won't fix it, then the user can add it manually. If the user isn't keeping state, or carrying cert on usb, that's their choice and problem. They can just as easily search the fingerprint, or memorize / create the cert's location, before hitting accept. If tbb users really crying over this, tpo, or anyone, could publish a cert file full of intermediate certs onsite, but probably won't because it puts them on the hook exploit timewise. So OS, browsers and other tools only ship / reference the primary cert stores. Hey IRTF, the test results are embarrasing, especially for an internet focused ietf internet society group like you, lern2admin. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
