On Sun, Nov 20, 2011 at 1:26 PM, polishcode <[email protected]> wrote:
> I guess this is because the three have built in trust to intermediate > certificate (VeriSign Class 3 International Server CA - G3). > No, its most likely because they cache intermediate CAs they have seen from other sites in their store. I believe the NSS library which is used by Firefox and Chrome on Linux does this. Starting in 3.0 Android will do this in memory within a browser session, since some sites have come to expect this behavior at least within the same site. for eample, https://www.example.com HTML pages might include the full cert chain, but pages with resources such as images or javascript will have only the server cert, presumably to save the bandwidth of serving the full cert chain. However, Android still doesn't permanently save them and is unlikely too for the near future. -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
