[tbb-bugs] #19481 [Applications/Tor Browser]: Change app.update.url to point to aus1.tpo

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 20 09:56:58 UTC 2016

#19481: Change app.update.url to point to aus1.tpo
 Reporter:  gk                        |          Owner:  tbb-team
     Type:  task                      |         Status:  needs_review
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  TorBrowserTeam201609R     |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by gk):

 Replying to [comment:7 yawning]:
 > Replying to [comment:3 gk]:
 > > weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right
 now. It might come in the future.
 > This shouldn't be done at all till it's possible to pin the cert chain
 for aus1.tpo over a prolonged period of time (not the rather short 3
 months imposed by the Let's Encrypt cert lifespan).
 > WHile the scope of potential problems from not doing so should be
 limited to adversaries withholding updates (since the MARs are signed),
 that feels suboptimal.

 I've created #20180 for aus1.tpo and cdn.tpo pinning.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19481#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list