[pierrebarre]

Privaxy is matching chrome on https://badssl.com/dashboard/ and https://www.ssllabs.com/ssltest/viewMyClient.html except that Privaxy doesn't support older TLS versions and poorer ciphers.

It does not mean that there is not a single bug, but I do not think it is fair to completely discount this approach. Especially when the alternative is browser extensions which bring their fair share of trouble regarding trust, performance, limited capabilities or even security.

[rfd4sgmk8u]

I discount this approach. It is necessary but not sufficient to pass on simple browser SSL tests. There are other complexities that are best left to the browser to negotiate the session.

[pierrebarre]

What are the things that you think are best handled by the browser while negotiating a session?

[rfd4sgmk8u]

The connection parameters including encryption parameters and certificate from the origin. There are a lot of weird rules in WebPKI you may miss, this is beyond a general purpose TLS library.

Enforcing Certificate Transparency rules or CAA records, is the proxy doing this?

[ThePowerOfFuet]

Which browser enforces CAA?

it's a certificate misissuance, but AFAIK it's not up to the browser.