#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by arma):

 Sebastian points out, I think correctly, that right now there is an https-
 everywhere update key somewhere in the world that is trusted by Tor
 Browser users (i.e. it can give them a bad update if it wants). GeKo
 points out that this issue is #10394.

 Separately, there is a site called addons.m.o which is trusted by Tor
 Browser users, because it can give them a bad noscript (either by having
 users accidentally go to a fake addons.m.o, or by having users go to the
 real one and it gives them a bad update).

 My 'option 1' above leaves both of these issues in place.

 My 'option 2' resolves both of them, assuming we do it for both noscript
 and https-everywhere.

 Whereas my 'option 3' replaces the addons.m.o issue with a new "there's a
 noscript update key somewhere in the world that is trusted" issue.

 This logic makes me like 'option 2' even more.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to