[tbb-dev] Tor Browser uplift tracker

Tom Ritter tom at ritter.vg
Mon Feb 5 16:01:02 UTC 2018

On 5 February 2018 at 06:31, Georg Koppen <gk at torproject.org> wrote:
> only signature based
> verification should be used. However, we want to have at least two
> independent means that need to get compromised before fake updates can
> get applied. That's especially true in our current setup where we host
> the update.xml ourselves and Fastly holds all the actual update files.
> tjr made this point in the last meeting.

That makes sense!

Since Tor Browser should never have to worry about Cert MITM, you
could (maybe) pin Fastly's CA (if they support that) and get

> (Note, though, that we might want to think about strengthening both
> pillars we currently rely on for our update security but that is
> orthogonal to the question whether we want to enable the hash check or not)

We're working on Binary Transparency! =)


More information about the tbb-dev mailing list