[tor-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 16 12:47:32 UTC 2016
#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
Reporter: mancha | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Changes (by mcs):
* cc: brade, mcs (added)
Comment:
I think it is worthwhile to think about doing this. But never expiring the
static pins will make updates fail for users of an old Tor Browser when
the certificates associated with the torproject.org servers are ever
changed. It would be worthwhile to look at what the failure mode is, and
maybe make improvements.
We should also see what solution Mozilla comes up with for this problem.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list