[tor-bugs] #20146 [Applications/Tor Browser]: Tor browser certificate pinning bypass for addons.mozilla.org and other pinned sites

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 16 22:39:02 UTC 2016


#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by flyryan):

 Hey guys. Just wanted to throw Mozilla's statement in here. They are
 enabling HPKP to addons.mozilla.org which will inherently fix the problem.
 They could do this right now and fix all of Firefox but I don't know if
 that's their plan or if they are waiting until Tuesday.

 > We investigated this and a fix will be issued in the next Firefox
 release on Tuesday, September 20. We had fixed an issue with the broken
 automation on the Developer Edition on September 4, but a certificate
 pinning had expired for users of our Release and Extended Support Release
 versions. We will be turning on HPKP on the addons.mozilla.org server
 itself so that users will remain protected once they have visited the site
 even if the built-in pins expire. We will be changing our internal
 processes so built-in certificate pins do not expire prematurely in future
 releases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list