[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #3555 [Tor bundles/installation]: TBB: hardcode SSL cert check to prevent MITM
#3555: TBB: hardcode SSL cert check to prevent MITM
----------------------------------------+-----------------------------------
Reporter: tagnaq | Owner: mikeperry
Type: defect | Status: assigned
Priority: major | Milestone: TorBrowserBundle 2.2.x-stable
Component: Tor bundles/installation | Version:
Keywords: MikePerryIteration20110828 | Parent:
Points: 1 | Actualpoints:
----------------------------------------+-----------------------------------
Comment(by mikeperry):
Bleh, the only reference I can find for this in the Firefox source is the
pref app.update.certs.1.commonName. The pref is used in
./toolkit/mozapps/update/nsUpdateService.js seems to only be used to check
the common name in the Checker.onLoad handler via CertUtils.checkCert.
The checkCert function does some additional checks to make sure the
channel is using a built-in cert, but I still don't see where in the
source distribution this builtin lives.
It also seems to say that we can't just include our cert, even if we
wanted. We must also cause this checkCert to get called for our addon
updates, otherwise the adversary could use a CA independent of our builtin
and it will still work..
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3555#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs