[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] is Torbrowser more affected by webservers failing to send their complete certificate chain?




grarpamp:
>> With the growing number of sites deploying HSTS, the impact is even bigger.
>
> While https adoption is related to impact, hsts isn't since it only applies
> once https is visited

did you notice the non-HSTS/HSTS distinction when trying to add an exception?


>> Should Torbrowser ship a few common interm. CAs by default? (like the letsencrypt issuing CAs)
> 
> No. Because when LE gets compromised, then you have
> a million tbb's blindly trusting rogue / stolen certs, mitm, etc,

I'm not saying that interm. certificates should be shipped as root CAs

> If the admin won't fix it, then the user can add it manually.

telling people to manually import/trust certificates is a dangerous advice.
(and I believe most users will fail to do that on an HSTS enabled site)

> If the user isn't keeping state, or carrying cert on usb, that's
> their choice and problem

I disagree on blaming the user for a server side configuration issue



-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk