1
about:preferences#advanced -> Certificates -> ViewCert

In Firefox, I can add my own self-sign cert to browser. However, in latest TBB(6.0+) I can't add certificate.

This is annoying because I have to make a exception every time to connect to HTTPS.

Is there any method to add certificate to TBB?

Jens Kubieziel
  • 8,570
  • 5
  • 33
  • 115
Toooory
  • 11
  • 1
  • 1
    Surely you can just set an exception as required? Adding one permanently is actually a unique and detectable fingerprint, it would be long-term identifying state... – cacahuatl Jul 13 '16 at 16:12
  • @canonizingironize Yeah, if an attacker had access to the computer that stored the exception. That data is stored locally in the browser. If the computer isn't physically secure, it doesn't matter what data is stored where. – SuperSluether Jul 21 '16 at 02:05
  • @SuperSluether lol. uh, no. if you automatically accept the exception that is thrown without first having to manually add the exception, your browser will behave clearly and visibly differently from every other tor browser user to an outside observer (the exit, the server itself or any observer in between). – cacahuatl Jul 21 '16 at 02:22
  • So you're saying that the Tor browser shares its security exceptions with every website it visits? Didn't think so. The browser will only behave differently for that one website. – SuperSluether Jul 21 '16 at 14:01
  • @SuperSluether yes. It doesn't share it directly but the browser behaves differently in a way that is trivial to measure. Any website can measure it indirectly. Any exit or point between the exit and the site can also measure it indirectly, and other exits for other sites could force situations where they get to measure it. This could easily be done, in a variety of ways. – cacahuatl Jul 21 '16 at 17:26
  • @SuperSluether here's a trivial example: <img src="https://example.com/image.jpeg" onload="alert(1)" onerror="alert(0)" /> if example.com has an invalid certificate and you've set a certificate error exception for example.com, it will pop up an alert box with 1, if you haven't you'll get an alert box with 0. I can embed this into my website, and when you visit it I can tell if you've set an exception or not by changing the payload from an alert to something else, this is just one of the many ways that you could measure this difference in behaviour. – cacahuatl Jul 21 '16 at 20:28
  • From your example, you would still get Alert 1 if you set a 1-time exception, so I still don't see the difference. At any rate, what does it matter if a website knows you use HTTPS or not? – SuperSluether Jul 21 '16 at 21:18
  • sigh You can lead a horse to water but you can't make it drink... – cacahuatl Jul 21 '16 at 22:50

1 Answers1

1

Permanent exceptions can't be made in Private Browsing mode. Go to about:preferences#privacy and either uncheck "Always use private browsing mode" or select "Remember History."

This will save your browsing history, download history, and save cookies by default. To fix, uncheck "Remember browsing and download history" and "Remember search and form history." For cookies, accept them, but keep until "I close Tor Browser."

SuperSluether
  • 1,239
  • 7
  • 21