[tbb-bugs] #19481 [Applications/Tor Browser]: Change app.update.url to point to aus1.tpo
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 20 09:56:58 UTC 2016
#19481: Change app.update.url to point to aus1.tpo
--------------------------------------+------------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201609R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Comment (by gk):
Replying to [comment:7 yawning]:
> Replying to [comment:3 gk]:
> > weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right
now. It might come in the future.
>
> This shouldn't be done at all till it's possible to pin the cert chain
for aus1.tpo over a prolonged period of time (not the rather short 3
months imposed by the Let's Encrypt cert lifespan).
>
> WHile the scope of potential problems from not doing so should be
limited to adversaries withholding updates (since the MARs are signed),
that feels suboptimal.
I've created #20180 for aus1.tpo and cdn.tpo pinning.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19481#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list