#20146: Tor browser certificate pinning bypass for addons.mozilla.org and other
pinned sites
 Reporter:  mancha                    |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Critical                  |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by jmprcx):

 Greetings folks,

 Just wanted to add some input here and much respect to all for fixing this

 The Mozilla-proposed solution is garbage to my understanding. If HPKP pins
 are used I believe they get wiped in private browsing mode so then it
 offers no protection on the next startup. HPKP pins can also be used as a
 method to track user activity so some users may not want to store pins.

 I like option 2 as proposed. Also maybe it would be worthwhile to do add-
 ons over onion service only? I don't see a point in making a Tor Browser
 user beacon out to the clearnet for no good reason.


Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20146#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to