#20149: Test that static public key pins are working
 Reporter:  gk                                   |          Owner:  boklm
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  High                                 |      Milestone:
Component:  Applications/Quality Assurance and   |        Version:
  Testing                                        |
 Severity:  Major                                |     Resolution:
 Keywords:  tbb-security                         |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by mcs):

 Replying to [comment:3 boklm]:
 > In 59782207d2e5976d11226496f3dec57917cc5962 I added a test that checks
 that key pinning on https://pinning-test.badssl.com/ is working. We are
 checking that the page fails to load, and that the error pages has

 The above test looks OK to me.

 > We are checking that it is working at the current date. I think I can
 add an other test on Linux that uses libfaketime to check that it also
 works at a date 2 or 3 months in the future.

 That seems like a good idea. Should we also check, as part of our build
 process, that the timestamp in security/manager/ssl/StaticHPKPins.h is
 reasonable? I guess that would be a redundant check, but it might still be
 a good idea.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20149#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to