[tor-bugs] #16206 [Tor Browser]: set security.cert_pinning.enforcement_level to 2 ("Strict. Pinning is always enforced")
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 26 22:22:35 UTC 2015
#16206: set security.cert_pinning.enforcement_level to 2 ("Strict. Pinning is
always enforced")
-------------------------+--------------------------
Reporter: dkg | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: hpkp | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
see: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning
Please set security.cert_pinning.enforcement_level to 2 ("Strict. Pinning
is always enforced").
This will become more relevant as Tor moves to a more recent version of
firefox (31 only has minimal built-in pinning support, and 35 introduces
HPKP), but without setting the level to 2, users who are phished with an
external root CA (admittedly a bad situation, but not uncommon) will lose
all pinning protection against that root CA (see
https://bugzilla.mozilla.org/show_bug.cgi?id=1168603 for more details
about this risk and circumstances where it might legitimately arise)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16206>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list