#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
--------------------------------------+--------------------------
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------
Changes (by mcs):

 * cc: brade, mcs (added)


Comment:

 I think it is worthwhile to think about doing this. But never expiring the
 static pins will make updates fail for users of an old Tor Browser when
 the certificates associated with the torproject.org servers are ever
 changed. It would be worthwhile to look at what the failure mode is, and
 maybe make improvements.

 We should also see what solution Mozilla comes up with for this problem.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Reply via email to