Re: [tor-talk] How to pin the SSL certificate for torproject.org?

[grarpamp <grarpamp@xxxxxxxxx>]

>> And what about FF's 'are you sure want to connect
>> to this strange cert'... 'accept one time' or 'add and accept
>> forever' option? So why not dump the cert in the forever file?

>> But if that's not checking _at least_ the fingerprint, and hopefully
>> the cert chain, then it's useless for security.

> That sounds reasonable in theory for further programmers but is no solution I could use right now.

If the FF 'forever file' is doing a binary compare of the cert,
or a print compare, then find how to add your server certs to that
file as it would be safe.

If it's a CN, subject hash, serial, CA, or any other check, if's useless.

> I posted a feature request against wget.
> https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00007.html
>
> But I doubt anyone is interested to add such a feature.

They are talking on it, so maybe.
But you probably need to say you want to 'pin' the server cert.
Or show an example of another program, like this fetchmail:

 via pop.gmail.com
 ssl
 sslcertck
 sslfingerprint "B8:AF:A7:80:CD:E2:31:50:6F:ED:0E:4F:C8:04:D6:CD"

I have only the needed signing certs in certs dir for sslcertck CA
validity check.
And sslfingerprint for my real security guarantee.
Though you can still DNS attack me... after you steal google privkey :)

>> https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
>>
>> https://github.com/agl/extract-nss-root-certs.git
>
> I don't understand how that could help with my original question.

That was for whoever else was talking about builtin
root certs in this thread :)
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk