[tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 9 09:22:54 UTC 2015
#17442: adjust or remove updater cert pinning
-------------------------+--------------------------
Reporter: mcs | Owner: tbb-team
Type: defect | Status: assigned
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+--------------------------
Comment (by gk):
Replying to [comment:4 mikeperry]:
> It does sound like this update-specific pin is redundant to (and weaker
than) the HPKP pins. However, I very much disagree with
https://bugzilla.mozilla.org/show_bug.cgi?id=1063111#c3. We should keep an
eye on that and make sure that the HPKP pins always apply to the updater,
as we do not have the problem of needing to support corporate or OEM-
installed MITMs (*cough* Lenovo Superfish *cough*).
Yes, I think we get this already with our
`security.cert_pinning.enforcement_level` set to `2` but looking closer
might be good (Especially as Mozilla seems to pin the certificate for the
Firefox updater, too.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17442#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list