[tbb-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites

[Tor Bug Tracker & Wiki]

#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by cypherpunks):

 Replying to [comment:2 arma]:
 > I've heard a variety of proposed ideas for how to make things better. In
 an attempt to organize my thoughts, here they are:
 >
 > Option 1: make pinning never expire (i.e. do this ticket).
 …
 > Option 2: Disable noscript updates between releases. That is, put a
 version of Noscript into Tor Browser when we build Tor Browser
 …
 > Option 3: Convince the noscript maintainer to adopt the updateKey
 signature mechanism.

 You might also consider a hybrid of 2 and 3: ship a version that only
 trusts Tor's keys—the same ones checked when updating the browser
 itself—and set up an onion service it can poll for updates.

 I think its worthwhile to decrease the number of trust roots. Even if you
 weren't doing much more than re-signing each release, you'd be able to
 stop distributing a compromised update when someone noticed it. And you'd
 keep a history of everything you've signed, so nothing could slip through
 without a record.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online