[tor-bugs] #3555 [Firefox Patch Issues]: TBB: hardcode SSL cert check to prevent MITM
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Jul 7 16:15:48 UTC 2012
#3555: TBB: hardcode SSL cert check to prevent MITM
----------------------------------+-----------------------------------------
Reporter: tagnaq | Owner: mikeperry
Type: enhancement | Status: assigned
Priority: major | Milestone:
Component: Firefox Patch Issues | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------------------+-----------------------------------------
Changes (by mikeperry):
* type: defect => enhancement
* milestone: TorBrowserBundle 2.3.x-stable =>
Comment:
For us, it's now lower priority. Pinning should be provided by the actual
upstream browser makers. Doing it ourselves for all *.tpo is complicated
by the pinning system in Firefox being done through cert-specific and use-
case specific haxx, and not a generalized mechanism (unless that's
changed).
Chrome, for example, properly pins *.tpo through a generalized mechanism
that is easy to alter+extend for arbitrary certs. We should get Mozilla to
do it that way too, then we can think about adding our own certs to that
mechanism in Tor Browser.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3555#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list