[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning

Subject: Re: [tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Fri, 13 Nov 2015 13:11:21 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 13 Nov 2015 08:11:33 -0500
In-reply-to: <043.50a0c0f66b8e55d9be7b3e4cd876ed33@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.50a0c0f66b8e55d9be7b3e4cd876ed33@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17442: adjust or remove updater cert pinning
-----------------------------------+-----------------------------------
 Reporter:  mcs                    |          Owner:  tbb-team
     Type:  defect                 |         Status:  needs_information
 Priority:  Medium                 |      Milestone:
Component:  Tor Browser            |        Version:
 Severity:  Normal                 |     Resolution:
 Keywords:  TorBrowserTeam201511R  |  Actual Points:
Parent ID:                         |         Points:
  Sponsor:                         |
-----------------------------------+-----------------------------------
Changes (by gk):

 * status:  needs_review => needs_information


Comment:

 The backported patches look good to me (you even made sure all the typos
 stayed in place ;) ). I think this is fine for the alpha and I applied
 them to tor-browser-38.4.0esr-5.5-1 (commits
 c429e391927b9f6462274c5a7b51cf66cd253ddf and
 f90a87efb57f9e2fd7f3b23e812af721f092a733).

 Would you look into whether we are fine with pinning the certs for the
 updater as well given that Mozilla is pinning them, too, but is still
 claiming they don't want the update breaking if MITM proxies are tampering
 with TLS?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17442#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: [tor-bugs] #17595 [- Select a component]: http://health786.com/dermafi/
Next by Author: Re: [tor-bugs] #8695 [Tor Browser]: GVFS metadata file contains TBB filename (Debian Linux)
Previous by thread: Re: [tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Next by thread: Re: [tor-bugs] #17442 [Tor Browser]: adjust or remove updater cert pinning
Index(es):
- Author
- Thread