[tbb-dev] Tor Browser uplift tracker
Tom Ritter
tom at ritter.vg
Mon Feb 5 16:01:02 UTC 2018
On 5 February 2018 at 06:31, Georg Koppen <gk at torproject.org> wrote:
> only signature based
> verification should be used. However, we want to have at least two
> independent means that need to get compromised before fake updates can
> get applied. That's especially true in our current setup where we host
> the update.xml ourselves and Fastly holds all the actual update files.
> tjr made this point in the last meeting.
That makes sense!
Since Tor Browser should never have to worry about Cert MITM, you
could (maybe) pin Fastly's CA (if they support that) and get
part-of-a-third.
> (Note, though, that we might want to think about strengthening both
> pillars we currently rely on for our update security but that is
> orthogonal to the question whether we want to enable the hash check or not)
We're working on Binary Transparency! =)
-tom
More information about the tbb-dev
mailing list