[tor-talk] How to pin the SSL certificate for torproject.org?

tor at lists.grepular.com tor at lists.grepular.com
Fri Jul 6 20:02:26 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/07/12 16:46, proper at secure-mail.biz wrote:

> A malicious certificate for torproject.org has been given out at
> least twice by broken certificate authorities. (Comodo, DigiNotar,
> who is next...)
> 
> To prevent that in future, I'd like to pin the SSL certificate's
> fingerprint. How can that be done? Running an own local CA or is
> there an easier way?
> 
> How to download the SSL public key from torproject.org and sign it
> with a local CA?

The Tor project SSL certs are already pinned within Chrome. Search for
the string DOMAIN_TORPROJECT_ORG in:

https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h

I don't think Firefox has anything similar. Personally I use
HTTPS-Everywhere and Certificate Patrol, so I should be alerted to any
strangeness going on.

Chrome also has a default HSTS list embedded in it. My own domains
"grepular.com" and "emailprivacytester.com" are forced through HTTPS
even on the first visit, because they are hard coded into Chrome.
Although they're not pinned to a particular cert. You can add your own
domains to this list in Chrome as well. See
http://www.imperialviolet.org/2010/01/26/sts.html for information on
how to do that. Also, the HTTPS-Everywhere project uses a script to
compile rulesets automatically from the Chrome list.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4


-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJP90RSMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBA8LB/0fVOsOFOu1
KOABL9NXs5xZFhgUvES57nz7G2+f4e5JmeHgyPlKOtqDbLld048SF7rEEv8yzxqu
aZ5rculI7DDIjWy/cUaX0rOW0E7Cs8jKj+wVMzORPxSlzAx7mNj1rnzY2tHOqrMB
ZSUKjAAaUeAAOfak7a7AA8HoYP35ixvSP/srxiWEF3dLjYuQyNbUdAGczBOpOzuB
hByFz2LL1B78BLWyTugDmFP0q+DqGmA3FF5URqiMrqxSO+RUos1HaP8qzCfnTZ0p
rLffM4T3T2Phtnz8z31pVBgXk7bYM81nmcqAErbAn6Efr+wSYlCOTd3wQ3hdezir
+wcaUtOiZn+d
=71KU
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list