On 28 January 2016 at 02:51, Linus Nordberg linus@torproject.org wrote:
Tom Ritter tom@ritter.vg wrote Wed, 27 Jan 2016 10:10:56 -0600:
| > Another question that I find interesting is if TB could do better | > regarding fingerprintability based on what TLS session the browser | > accepts. | | I'm not sure what you mean here, could you elaborate?
A web server in possession of multiple valid cert chains could serve a connecting client one after the other in order to find out what's in the clients trust store and what's not. An unusual trust store is a potentially strong fingerprint.
It is.... but because TBB rewrites the trust store on every identity, isn't it unlikely that the client actually _has_ a nonstandard trust store? It's not like screen size or font fingerprinting where Firefox gets its cue from the OS and it's persistent...
-tom