Tor browser deanonymization/fingerprinting via cached intermediate CAs
I get different results testing https://fiprinca.0x90.eu/poc/ in a fresh Tor browser than in the Tor browser I've been using to browse the web for a bit. (Both are running as Qubes disposable VMs so I haven't tested persistence).
Expected behaviour: my Tor browser (version "6.5, based on Mozilla Firefox 45.7.0") should not leak information about what sites I've visited.
Actual behaviour: I see four cached CAs in the "warmed" browser, leaking information about what sites I've visited.