[tbb-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 13 13:11:21 UTC 2015
#17442: adjust or remove updater cert pinning
-----------------------------------+-----------------------------------
Reporter: mcs | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201511R | Actual Points:
Parent ID: | Points:
Sponsor: |
-----------------------------------+-----------------------------------
Changes (by gk):
* status: needs_review => needs_information
Comment:
The backported patches look good to me (you even made sure all the typos
stayed in place ;) ). I think this is fine for the alpha and I applied
them to tor-browser-38.4.0esr-5.5-1 (commits
c429e391927b9f6462274c5a7b51cf66cd253ddf and
f90a87efb57f9e2fd7f3b23e812af721f092a733).
Would you look into whether we are fine with pinning the certs for the
updater as well given that Mozilla is pinning them, too, but is still
claiming they don't want the update breaking if MITM proxies are tampering
with TLS?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17442#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list