[tor-bugs] #9739 [Flashproxy]: don't hard code certificates/pubkeys in flashproxy programs
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 14 18:40:58 UTC 2013
#9739: don't hard code certificates/pubkeys in flashproxy programs
----------------------------+-----------------
Reporter: infinity0 | Owner: dcf
Type: defect | Status: new
Priority: normal | Milestone:
Component: Flashproxy | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
----------------------------+-----------------
Comment (by dcf):
There might be some confusion about what keys are what. The facilitator
has its own private key that is used only by the program facilitator-reg-
daemon, and only for one purpose: to decrypt encrypted client
registrations. This is the key that is set with the `--key` option of
facilitator-reg-daemon, and the `--facilitator-pubkey` option of
flashproxy-client, flashproxy-reg-appspot, flashproxy-reg-email, and
flashproxy-reg-url. So unless I misunderstand you, this keypair is already
configurable by the command line.
The embedded certs and public key hashes `CA_CERTS` and `PUBKEY_SHA1` in
flashproxy-reg-appspot, flashproxy-reg-email, and facilitator-email-poller
are for certificate pinning against specific Google services--they are
''not'' meant to be configurable. They are deliberately hardcoded,
[https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.h?revision=209003&view=markup
just like they are in Chromium].
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9739#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list