[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to pin the SSL certificate for torproject.org?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
From: tor@xxxxxxxxxxxxxxxxxx
Date: Fri, 06 Jul 2012 21:02:26 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 06 Jul 2012 16:02:00 -0400
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.grepular.com; s=dkim1; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:References:Subject:To:MIME-Version:From:Date:Message-ID; bh=YFxJp0wlJSrLLSCAV1ikeLKA2TryIf/L3rRSfKtCfsw=; b=ZpYuaPQVBafA+A+/kSkff0QjErWuwUPaSoD1GxAYN5hGjaixJNGMw7YFPobnG6sf8aORMv7uR3O4/B4CdouvwXp7jtTzaDXZyt01HkvSHFSBOl59VKzrCE5Qq7qbshk69IJVHtxxS290cc9AcVfZXiRqga/X78dYKdBv1HlHlvI=;
In-reply-to: <336e29021550244dbe7fb60b1a23cf60@xxxxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: url=https://grepular.com/0018461F.pub.asc
References: <336e29021550244dbe7fb60b1a23cf60@xxxxxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/07/12 16:46, proper@xxxxxxxxxxxxxxx wrote:

> A malicious certificate for torproject.org has been given out at
> least twice by broken certificate authorities. (Comodo, DigiNotar,
> who is next...)
> 
> To prevent that in future, I'd like to pin the SSL certificate's
> fingerprint. How can that be done? Running an own local CA or is
> there an easier way?
> 
> How to download the SSL public key from torproject.org and sign it
> with a local CA?

The Tor project SSL certs are already pinned within Chrome. Search for
the string DOMAIN_TORPROJECT_ORG in:

https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h

I don't think Firefox has anything similar. Personally I use
HTTPS-Everywhere and Certificate Patrol, so I should be alerted to any
strangeness going on.

Chrome also has a default HSTS list embedded in it. My own domains
"grepular.com" and "emailprivacytester.com" are forced through HTTPS
even on the first visit, because they are hard coded into Chrome.
Although they're not pinned to a particular cert. You can add your own
domains to this list in Chrome as well. See
http://www.imperialviolet.org/2010/01/26/sts.html for information on
how to do that. Also, the HTTPS-Everywhere project uses a script to
compile rulesets automatically from the Chrome list.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4

-----BEGIN PGP SIGNATURE-----

iQGGBAEBCgBwBQJP90RSMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBA8LB/0fVOsOFOu1
KOABL9NXs5xZFhgUvES57nz7G2+f4e5JmeHgyPlKOtqDbLld048SF7rEEv8yzxqu
aZ5rculI7DDIjWy/cUaX0rOW0E7Cs8jKj+wVMzORPxSlzAx7mNj1rnzY2tHOqrMB
ZSUKjAAaUeAAOfak7a7AA8HoYP35ixvSP/srxiWEF3dLjYuQyNbUdAGczBOpOzuB
hByFz2LL1B78BLWyTugDmFP0q+DqGmA3FF5URqiMrqxSO+RUos1HaP8qzCfnTZ0p
rLffM4T3T2Phtnz8z31pVBgXk7bYM81nmcqAErbAn6Efr+wSYlCOTd3wQ3hdezir
+wcaUtOiZn+d
=71KU
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] How to pin the SSL certificate for torproject.org?
  - From: proper

Prev by Author: Re: [tor-talk] Transparent e-mail encryption?
Next by Author: Re: [tor-talk] hidden service on same location as public service
Previous by thread: Re: [tor-talk] How to pin the SSL certificate for torproject.org?
Next by thread: Re: [tor-talk] How to pin the SSL certificate for torproject.org? (#3555)
Index(es):
- Author
- Thread