[tbb-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Sep 17 01:13:24 UTC 2016
#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
Reporter: mancha | Owner: tbb-team
Type: defect | Status: new
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by jmprcx):
Greetings folks,
Just wanted to add some input here and much respect to all for fixing this
problem.
The Mozilla-proposed solution is garbage to my understanding. If HPKP pins
are used I believe they get wiped in private browsing mode so then it
offers no protection on the next startup. HPKP pins can also be used as a
method to track user activity so some users may not want to store pins.
I like option 2 as proposed. Also maybe it would be worthwhile to do add-
ons over onion service only? I don't see a point in making a Tor Browser
user beacon out to the clearnet for no good reason.
-jmprcx
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list