#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by flyryan):

 Hey guys. Just wanted to throw Mozilla's statement in here. They are
 enabling HPKP to addons.mozilla.org which will inherently fix the problem.
 They could do this right now and fix all of Firefox but I don't know if
 that's their plan or if they are waiting until Tuesday.

 > We investigated this and a fix will be issued in the next Firefox
 release on Tuesday, September 20. We had fixed an issue with the broken
 automation on the Developer Edition on September 4, but a certificate
 pinning had expired for users of our Release and Extended Support Release
 versions. We will be turning on HPKP on the addons.mozilla.org server
 itself so that users will remain protected once they have visited the site
 even if the built-in pins expire. We will be changing our internal
 processes so built-in certificate pins do not expire prematurely in future

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to