[tor-bugs] #19481 [Applications/Tor Browser]: Change app.update.url to point to aus1.tpo
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 20 03:25:27 UTC 2016
#19481: Change app.update.url to point to aus1.tpo
--------------------------------------+------------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: needs_review
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeam201609R | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Comment (by yawning):
Replying to [comment:3 gk]:
> weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right
now. It might come in the future.
This shouldn't be done at all till it's possible to pin the cert chain for
aus1.tpo over a prolonged period of time (not the rather short 3 months
imposed by the Let's Encrypt cert lifespan).
WHile the scope of potential problems from not doing so should be limited
to adversaries withholding updates (since the MARs are signed), that feels
suboptimal.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19481#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list