grarpamp: >> With the growing number of sites deploying HSTS, the impact is even bigger. > > While https adoption is related to impact, hsts isn't since it only applies > once https is visited
did you notice the non-HSTS/HSTS distinction when trying to add an exception? >> Should Torbrowser ship a few common interm. CAs by default? (like the >> letsencrypt issuing CAs) > > No. Because when LE gets compromised, then you have > a million tbb's blindly trusting rogue / stolen certs, mitm, etc, I'm not saying that interm. certificates should be shipped as root CAs > If the admin won't fix it, then the user can add it manually. telling people to manually import/trust certificates is a dangerous advice. (and I believe most users will fail to do that on an HSTS enabled site) > If the user isn't keeping state, or carrying cert on usb, that's > their choice and problem I disagree on blaming the user for a server side configuration issue -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
signature.asc
Description: OpenPGP digital signature
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
