Grace H:
> Great that Tor Browser has automated upgrade system.
>
> Does it check SSL certificate (pinning) and checks the download
> against a signature? How does it actually works?
Quoting the release announcement:
Please also be aware that the security of the updater depends on the
specific CA that issued the www.torproject.org HTTPS certificate
(Digicert), and so it still must be activated manually through the
Help ("?") "about browser" menu option. Very soon, we will support
both strong HTTPS site-specific certificate pinning (ticket #11955)
and update package signatures (ticket #13379). Until then, we do not
recommend using this updater if you need stronger security and
normally verify GPG signatures.
https://blog.torproject.org/blog/tor-browser-40-released
--
Lunar <lunar@xxxxxxxxxxxxxx>
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk