Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#20461 closed enhancement (wontfix)

Ship “static cache” of intermediate CAs

Reported by: nicoo Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: nicoo Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


TBB produces certificate validation errors on incomplete certificate chains, which may “somewhat work” on other browsers due to intermediary CAs being present in caches.

This is problematic, as this leads users to expect certificate errors on certain sites and simply click-through, effectively teaching them terrible security practices.

We could ship, with TBB, a builtin list of “cached” intermediate CAs that are prevalent among misconfigured servers. This data can be obtained from TLS Observatory's data, according to ulfr.

Child Tickets

Change History (4)

comment:1 Changed 4 years ago by nicoo

Log of the (asynchronous) discussion about this on Mozilla/#security:

12:55:46           ⤷ │ ulfr: I wanted to enquire about using TLS Observatory data to find
                     │ specific misconfigurations (typically, incomplete cert chains) that lead
                     │ to cert errors in Tor Browser (which doesn't cache subCAs, since that ca
                     │ be used as a supercookie), and check if some Tor exit nodes (ab)use that
                     │ for stealthy MitM
12:56:56     freddyb │ (that's interesting. what wold also be interesting: a prepopulated subCA
                     │ cache)
12:57:09       nicoo │ freddyb: Oooh, great idea
12:57:47           ⤷ │ And TLS Obs data should have the most popular-amongst-broken-servers
                     │ subCAs
12:57:57           ⤷ │ (Let's Encrypt, anyone?)
13:02:03             │ nicoo hilights GeKo, as it is topically relevant
13:02:15       nicoo │ GeKo: Does this sound like a good/sane idea ?
14:27:43        ulfr │ nicoo: I don't capture that data directly (that would require a bit of
                     │ code to detect missing intermediates), but I can query for certs issued
                     │ by valid intermediates that have not passed validation.
14:28:17           ⤷ │ the query gets a bit complicated though
18:01:35        GeKo │ nicoo: why not? might be interesting to look at the data.
19:47:43       nicoo │ GeKo: I was more asking about pre-seeding the TBB with a intermediary CA
                     │ “cache” to avoid spurious cert validation errors with incomplete chains
                     │ (and avoid letting users get used to clicking through those)
19:54:20        ulfr │ or just automate intermediate retrieval using the AIA extension
20:24:41       nicoo │ ulfr: Wouldn't that be slow, without caching?
20:25:12           ⤷ │ (And with caching, I would assume the timing sidechannel can be used as a
                     │ supercookie)
20:39:13       Peng_ │ Downloading an intermediate or two would be kind of slow -- especially
                     │ over Tor -- but "untrusted issuer" error pages are infinity slow.
20:39:52           ⤷ │ Without caching? That sounds painful.
20:40:13       nicoo │ Peng_: And they teach users terrible security practices, hence why I want
                     │ to do something about it
20:40:15           ⤷ │ :V
20:46:35        ulfr │ there something to be said for not encouraging bad practices
20:46:47           ⤷ │ admins should learn to serve intermediates
20:49:18       nicoo │ ulfr: Yes, but I doubt that the TBB userbase is large enough to push
                     │ non-broken practices
20:49:50       nicoo │ OTOH, not “fixing” it (from a user perspective) seems like a security
                     │ issue to me.
20:49:44       Peng_ │ If Firefox were changed to hard fail instead of accepting
                     │ misconfiguration when the intermediate is already cached... ;-)
20:50:41       Peng_ │ Firefox is already being semi-forgiving and semi-encouraging bad
                     │ practices. But TBB can't afford to cache as generously and is getting the
                     │ short end of the stick.
-- Tue, 25 Oct 2016 --
06:39:36        GeKo │ nicoo: oh, okay. file a ticket on trac and get the discussion going?
06:39:54           ⤷ │ it seems worthwhile to think about

comment:2 Changed 4 years ago by nicoo

Cc: nicoo added

comment:3 Changed 3 years ago by gk

Resolution: wontfix
Status: newclosed

We talked a bit at CCC about this idea and I think we came to the conclusion to

1) Collect some data how prevalent that problem is
2) Try to reach the web site authors to fix that problem on their end

That's the way forward I hope as keeping track of new intermediate CAs to and/or to remove from the cache is no fun thing to do.

If the plan above does not help and the problem is quite widespread, let's reopen this ticket and let's think harder about the idea as a Tor Browser feature.

Note: See TracTickets for help on using tickets.