[tor-bugs] #11955 [Tor Browser]: Backport Certificate Pinning to FF31ESR

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 26 05:36:07 UTC 2014 

#11955: Backport Certificate Pinning to FF31ESR
-------------------------+-------------------------------------------------
     Reporter:           |      Owner:  arthuredelstein
  mikeperry              |     Status:  assigned
         Type:           |  Milestone:
  enhancement            |    Version:
     Priority:  major    |   Keywords:  TorBrowserTeam201409, ff31-esr,
    Component:  Tor      |  tbb-firefox-patch
  Browser                |  Parent ID:
   Resolution:           |
Actual Points:           |
       Points:           |
-------------------------+-------------------------------------------------

Comment (by arthuredelstein):

 Replying to [comment:6 mikeperry]:

 Here's what I have so far:
 https://github.com/arthuredelstein/tor-browser/commits/tbb-esr31.1.0
 -certificate-pinning

 As suggested, I applied the following patches (with some tweaks):

 > https://bugzilla.mozilla.org/show_bug.cgi?id=744204
 > https://bugzilla.mozilla.org/show_bug.cgi?id=772756
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1002696
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1009635

 To get these patches to apply more or less cleanly, I also needed to
 include:

 https://bugzilla.mozilla.org/show_bug.cgi?id=998057
 https://bugzilla.mozilla.org/show_bug.cgi?id=951315
 https://bugzilla.mozilla.org/show_bug.cgi?id=1004270

 > There was a regression that should be fixed in the patch set for 772756
 that broke the addons pane. We should verify our backport doesn't suffer
 from it either (note this ticket was "fixed" by backing out all pinning!
 we don't want to do that, but want the patch from 772756 instead):
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1005364

 I've included 772756. I still need to test for the presence of the bug
 reported in 1005364.

 > From the "pin all the things" ticket, the following might be useful to
 test the waters if we are feeling good about addons and the updater:
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1004353 (Tor)
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1004351 (Twitter)
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1004352 (Google)
 > https://bugzilla.mozilla.org/show_bug.cgi?id=1027133 (*.twitter.com)

 I'll hold off on these until addons and updater are working OK.

 I guess at this point I should run unit tests on the pinning code. Are
 there any manual tests for certificate pinning I should run, in addition
 to 1005364?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11955#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list