[tor-talk] How to pin the SSL certificate for torproject.org?

proper at secure-mail.biz proper at secure-mail.biz
Fri Jul 6 16:24:35 UTC 2012


<tom at ritter.vg> wrote:
> On 6 July 2012 11:46,  <proper at secure-mail.biz> wrote:
> > A malicious certificate for torproject.org has been given out at least
> twice by broken certificate authorities. (Comodo, DigiNotar, who is next...)
>
> >
> > To prevent that in future, I'd like to pin the SSL certificate's fingerprint.
> How can that be done? Running an own local CA or is there an easier way?
>
>
> In what application?

It would be great if we can do it in a generic way for all applications. Maybe modifying /usr/share/ca-certificates. Can we create a local ca which gets priority over the others, i.e. listen only the the local ca when it comes to torproject.org and use the others like usual?

It's interesting for Chromium, Firefox (download in the clear), Tor Browser and wget.

> In Chrome, your best bet would be to compile Chromium and add the
> project cert into their pinned list in the code before doing so.
> In Firefox, you'd probably be best served by using Convergence or
> CertPatrol to verify the certificate through external validators or
> notify you if the certificate changes (respectively).

> In other applications: IE, wget, curl, etc - there aren't any
> 'prebuilt' options - you'd have to write some sort of plugin or hook
> yourself.

Wget Has --ca-certificate <file> switch, but I don't know how to create the ca file. I read that it's possible to self sign a SSL public key, even if you do not have access to the private key or certificate signing request.

I didn't even archive to get torproject.org's public key. That's what I used.
openssl s_client -showcerts -connect www.torproject.org:443 >/tmp/x.cert </dev/null

But it doesn't contain the begin public key block. I am not sure what to use from that file or if I am on the complete wrong path. If you can help out with it, that'd be great!

______________________________________________________
powered by Secure-Mail.biz - anonymous and secure e-mail accounts.



More information about the tor-talk mailing list