[tor-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 16 22:39:02 UTC 2016
#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
Reporter: mancha | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by flyryan):
Hey guys. Just wanted to throw Mozilla's statement in here. They are
enabling HPKP to addons.mozilla.org which will inherently fix the problem.
They could do this right now and fix all of Firefox but I don't know if
that's their plan or if they are waiting until Tuesday.
> We investigated this and a fix will be issued in the next Firefox
release on Tuesday, September 20. We had fixed an issue with the broken
automation on the Developer Edition on September 4, but a certificate
pinning had expired for users of our Release and Extended Support Release
versions. We will be turning on HPKP on the addons.mozilla.org server
itself so that users will remain protected once they have visited the site
even if the built-in pins expire. We will be changing our internal
processes so built-in certificate pins do not expire prematurely in future
releases.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list