[tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 19 15:53:46 UTC 2015
#17442: adjust or remove updater cert pinning
-----------------------------------+-----------------------------------
Reporter: mcs | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201511R | Actual Points:
Parent ID: | Points:
Sponsor: |
-----------------------------------+-----------------------------------
Comment (by mcs):
Replying to [comment:7 gk]:
> Would you look into whether we are fine with pinning the certs for the
updater as well given that Mozilla is pinning them, too, but is still
claiming they don't want the update breaking if MITM proxies are tampering
with TLS?
Kathy and I looked at this a little bit. The aus4.mozilla.org pin
configuration has the mTestMode flag set to true (this is also the case
for aus5.m.o on mozilla-central; they seem to have switched their update
URLs to aus5 now). The mTestMode == true means that unless
security.cert_pinning.enforcement_level is set to 3, would-be failures are
ignored and just reported via Mozilla's telemetry service. So I think they
are just gathering data on potential failures.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17442#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list