[tor-talk] updating Tor
Lunar
lunar at torproject.org
Sun Oct 19 11:19:00 UTC 2014
Grace H:
> Great that Tor Browser has automated upgrade system.
>
> Does it check SSL certificate (pinning) and checks the download
> against a signature? How does it actually works?
Quoting the release announcement:
Please also be aware that the security of the updater depends on the
specific CA that issued the www.torproject.org HTTPS certificate
(Digicert), and so it still must be activated manually through the
Help ("?") "about browser" menu option. Very soon, we will support
both strong HTTPS site-specific certificate pinning (ticket #11955)
and update package signatures (ticket #13379). Until then, we do not
recommend using this updater if you need stronger security and
normally verify GPG signatures.
https://blog.torproject.org/blog/tor-browser-40-released
--
Lunar <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20141019/ef873f72/attachment.sig>
More information about the tor-talk
mailing list