On 5 February 2018 at 06:31, Georg Koppen gk@torproject.org wrote:
only signature based verification should be used. However, we want to have at least two independent means that need to get compromised before fake updates can get applied. That's especially true in our current setup where we host the update.xml ourselves and Fastly holds all the actual update files. tjr made this point in the last meeting.
That makes sense!
Since Tor Browser should never have to worry about Cert MITM, you could (maybe) pin Fastly's CA (if they support that) and get part-of-a-third.
(Note, though, that we might want to think about strengthening both pillars we currently rely on for our update security but that is orthogonal to the question whether we want to enable the hash check or not)
We're working on Binary Transparency! =)
-tom