[tor-dev] Always up-to-date HSTS preload list for Tor?
Georg Koppen
gk at torproject.org
Mon Jan 18 21:09:45 UTC 2016
Hi,
Ivan Ristic:
> Dear Tor developers,
>
> My SSL Labs server test has a feature where it checks for preloaded HSTS
> in Chrome, IE, Firefox, and Tor.
>
> You can see it near the bottom of this report, for example (under "HSTS
> Preloading"):
>
> https://www.ssllabs.com/ssltest/analyze.html?d=scotthelme.co.uk&s=107.170.218.42&latest
>
> For Tor, I download the preload list from this URL:
>
> https://gitweb.torproject.org/tor-browser.git/plain/security/manager/boot/src/nsSTSPreloadList.inc?h=tor-browser-38.2.1esr-5.0-2
>
> That's the best I could find (when I originally implemented the
> feature), and I now see that the version number has advanced since.
>
> Which brings me to my question: is there a public URL that always
> contains the latest preload list?
We are not patching the preload list. Tor Browser ships the same list as
the Firefox ESR version it is built upon. So, in a sense, no, there is
no such URL as we have different branches for different ESR releases.
But I guess tracking the latest Firefox ESR (which you might be doing
anyway) and assuming the same list for the latest Tor Browser should be
working fine for your purposes.
Georg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160118/84578662/attachment.sig>
More information about the tor-dev
mailing list