[tor-talk] How to pin the SSL certificate for torproject.org?

grarpamp grarpamp at gmail.com
Sat Jul 7 22:29:06 UTC 2012 

>> >> Fetchmail, msmtp, etc can all connect to a host,
>> >> take that cert fingerprint, compare it to the one you've
>> >> configured, and drop the connection if they differ.
>> >
>> > That may work against some adversaries but not against very clever adversaries.
>> He can let the first connection alone and tamper with the other one.
>>
>> It is first assumed one securely obtains and verifies certs
>> so you don't have this problem.
>
> I am not talking about the bootstrap problem getting the fingerprint for the first time.
>
> The adversary can let fetchmail, msmtp, etc through, return the correct fingerprint.
>
> Afterwards the adversary recognizes the the second connection, which might be wget and use a compromised root CA certificate.

I am not talking about wget or trusting CA's.

I'm talking about pinning hosts down to whatever
fingerprint I've chosen to accept before completing
the connection to them. Fetchmail etc, by example,
can do this. Simple, infallible [1].

Why bother trying to do all these ways to hack CSR's,
be your own CA, when you could take the example of
fetchmail, configure a fingerprint, and be done.
Not saying that FF can do this yet.

And what about FF's 'are you sure want to connect
to this strange cert'... 'accept one time' or 'add and accept
forever' option? So why not dump the cert in the forever file?
But if that's not checking _at least_ the fingerprint, and hopefully
the cert chain, then it's useless for security.

[1] And no, I'm not talking about being faked even with
use of DNSSEC (without first configuring the real dotroot
fingerprint too).
[1a] Or of not using at least SHA1, or SHA-3 soon.

Too bad, I checked elinks, lynx, curl, wget, fetch...
none do fingerprints. So yes, someone somewhere
should add fp checking to them. And while you're at it,
add the ability for them to speak to SOCKS5. Seems
like a small GSOC project :)

Also go here:
https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
https://github.com/agl/extract-nss-root-certs.git

More information about the tor-talk mailing list