[tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 6 16:05:17 UTC 2015
#17442: adjust or remove updater cert pinning
-------------------------+--------------------------
Reporter: mcs | Owner: tbb-team
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+--------------------------
Changes (by gk):
* status: needs_information => assigned
Comment:
Yes, we should get rid of that part. FWIW: Mozilla already did the same
https://bugzilla.mozilla.org/show_bug.cgi?id=1151485 and plans to remove
the custom checks code in general, now that they have signed MAR files on
all platforms: https://bugzilla.mozilla.org/show_bug.cgi?id=1182352. It is
worth noting, too, that there are voices that think pinning (esp. the
strict mode we enforce) is not the ideal thing for the updater if one has
already signed MAR files, see e.g.:
https://bugzilla.mozilla.org/show_bug.cgi?id=1063111#c3.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17442#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list