Re: [tbb-dev] How does Tor Browser treat locally-installed CA cert?

Tom Ritter tom@ritter.vg wrote Wed, 27 Jan 2016 10:10:56 -0600:

| > Another question that I find interesting is if TB could do better | > regarding fingerprintability based on what TLS session the browser | > accepts. | | I'm not sure what you mean here, could you elaborate?

A web server in possession of multiple valid cert chains could serve a connecting client one after the other in order to find out what's in the clients trust store and what's not. An unusual trust store is a potentially strong fingerprint.

Are there other attacks for using the trust store as a fingerprint? Are there ways for TB to protect against any of these?