#20461: Ship “static cache” of intermediate CAs --------------------------------------+-------------------------- Reporter: nicoo | Owner: tbb-team Type: enhancement | Status: new Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+--------------------------
Comment (by nicoo): Log of the (asynchronous) discussion about this on Mozilla/#security: {{{ 12:55:46 ⤷ │ ulfr: I wanted to enquire about using TLS Observatory data to find │ specific misconfigurations (typically, incomplete cert chains) that lead │ to cert errors in Tor Browser (which doesn't cache subCAs, since that ca │ be used as a supercookie), and check if some Tor exit nodes (ab)use that │ for stealthy MitM 12:56:56 freddyb │ (that's interesting. what wold also be interesting: a prepopulated subCA │ cache) 12:57:09 nicoo │ freddyb: Oooh, great idea 12:57:47 ⤷ │ And TLS Obs data should have the most popular- amongst-broken-servers │ subCAs 12:57:57 ⤷ │ (Let's Encrypt, anyone?) 13:02:03 │ nicoo hilights GeKo, as it is topically relevant 13:02:15 nicoo │ GeKo: Does this sound like a good/sane idea ? 14:27:43 ulfr │ nicoo: I don't capture that data directly (that would require a bit of │ code to detect missing intermediates), but I can query for certs issued │ by valid intermediates that have not passed validation. 14:28:17 ⤷ │ the query gets a bit complicated though 18:01:35 GeKo │ nicoo: why not? might be interesting to look at the data. 19:47:43 nicoo │ GeKo: I was more asking about pre-seeding the TBB with a intermediary CA │ “cache” to avoid spurious cert validation errors with incomplete chains │ (and avoid letting users get used to clicking through those) 19:54:20 ulfr │ or just automate intermediate retrieval using the AIA extension 20:24:41 nicoo │ ulfr: Wouldn't that be slow, without caching? 20:25:12 ⤷ │ (And with caching, I would assume the timing sidechannel can be used as a │ supercookie) 20:39:13 Peng_ │ Downloading an intermediate or two would be kind of slow -- especially │ over Tor -- but "untrusted issuer" error pages are infinity slow. 20:39:52 ⤷ │ Without caching? That sounds painful. 20:40:13 nicoo │ Peng_: And they teach users terrible security practices, hence why I want │ to do something about it 20:40:15 ⤷ │ :V 20:46:35 ulfr │ there something to be said for not encouraging bad practices 20:46:47 ⤷ │ admins should learn to serve intermediates 20:49:18 nicoo │ ulfr: Yes, but I doubt that the TBB userbase is large enough to push │ non-broken practices 20:49:50 nicoo │ OTOH, not “fixing” it (from a user perspective) seems like a security │ issue to me. 20:49:44 Peng_ │ If Firefox were changed to hard fail instead of accepting │ misconfiguration when the intermediate is already cached... ;-) 20:50:41 Peng_ │ Firefox is already being semi-forgiving and semi- encouraging bad │ practices. But TBB can't afford to cache as generously and is getting the │ short end of the stick. -- Tue, 25 Oct 2016 -- 06:39:36 GeKo │ nicoo: oh, okay. file a ticket on trac and get the discussion going? 06:39:54 ⤷ │ it seems worthwhile to think about }}} -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20461#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs