#19481: Change app.update.url to point to aus1.tpo --------------------------------------+------------------------------ Reporter: gk | Owner: tbb-team Type: task | Status: needs_review Priority: Medium | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: TorBrowserTeam201609R | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+------------------------------
Comment (by gk): Replying to [comment:7 yawning]: > Replying to [comment:3 gk]: > > weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future. > > This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan). > > WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal. I've created #20180 for aus1.tpo and cdn.tpo pinning. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19481#comment:8> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs