[tor-bugs] #11955 [Tor Browser]: Backport Certificate Pinning to FF31ESR

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 23 21:02:11 UTC 2014 

#11955: Backport Certificate Pinning to FF31ESR
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  arthuredelstein
  mikeperry              |     Status:  assigned
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201409, ff31-esr,
    Component:  Tor      |  tbb-firefox-patch
  Browser                |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by mikeperry):

 Sitting with Camilo right now. The "Pin all the things" bug is just about
 updating the json list with new sites. For now, we should just focus on
 getting this to work for our updater and addons.mozilla.org, and can add a
 couple sites later.

 In terms of actual patches, we want:
 https://bugzilla.mozilla.org/show_bug.cgi?id=744204
 https://bugzilla.mozilla.org/show_bug.cgi?id=772756
 https://bugzilla.mozilla.org/show_bug.cgi?id=1002696
 https://bugzilla.mozilla.org/show_bug.cgi?id=1009635

 There was a regression that should be fixed in the patch set for 772756
 that broke the addons pane. We should verify our backport doesn't suffer
 from it either (note this ticket was "fixed" by backing out all pinning!
 we don't want to do that, but want the patch from 772756 instead):
 https://bugzilla.mozilla.org/show_bug.cgi?id=1005364

 From the "pin all the things" ticket, the following might be useful to
 test the waters if we are feeling good about addons and the updater:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1004353 (Tor)
 https://bugzilla.mozilla.org/show_bug.cgi?id=1004351 (Twitter)
 https://bugzilla.mozilla.org/show_bug.cgi?id=1004352 (Google)
 https://bugzilla.mozilla.org/show_bug.cgi?id=1027133 (*.twitter.com)

 After that, there is an updater script for keeping pins up to date. The
 instructions are at the top of this file:
 https://mxr.mozilla.org/mozilla-
 central/source/security/manager/tools/genHPKPStaticPins.js

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11955#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list