[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] How to pin the SSL certificate for torproject.org?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 06/07/12 16:46, proper@xxxxxxxxxxxxxxx wrote:
> A malicious certificate for torproject.org has been given out at
> least twice by broken certificate authorities. (Comodo, DigiNotar,
> who is next...)
>
> To prevent that in future, I'd like to pin the SSL certificate's
> fingerprint. How can that be done? Running an own local CA or is
> there an easier way?
>
> How to download the SSL public key from torproject.org and sign it
> with a local CA?
The Tor project SSL certs are already pinned within Chrome. Search for
the string DOMAIN_TORPROJECT_ORG in:
https://src.chromium.org/viewvc/chrome/trunk/src/net/base/transport_security_state_static.h
I don't think Firefox has anything similar. Personally I use
HTTPS-Everywhere and Certificate Patrol, so I should be alerted to any
strangeness going on.
Chrome also has a default HSTS list embedded in it. My own domains
"grepular.com" and "emailprivacytester.com" are forced through HTTPS
even on the first visit, because they are hard coded into Chrome.
Although they're not pinned to a particular cert. You can add your own
domains to this list in Chrome as well. See
http://www.imperialviolet.org/2010/01/26/sts.html for information on
how to do that. Also, the HTTPS-Everywhere project uses a script to
compile rulesets automatically from the Chrome list.
- --
Mike Cardwell https://grepular.com/ http://cardwellit.com/
OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----
iQGGBAEBCgBwBQJP90RSMBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBA8LB/0fVOsOFOu1
KOABL9NXs5xZFhgUvES57nz7G2+f4e5JmeHgyPlKOtqDbLld048SF7rEEv8yzxqu
aZ5rculI7DDIjWy/cUaX0rOW0E7Cs8jKj+wVMzORPxSlzAx7mNj1rnzY2tHOqrMB
ZSUKjAAaUeAAOfak7a7AA8HoYP35ixvSP/srxiWEF3dLjYuQyNbUdAGczBOpOzuB
hByFz2LL1B78BLWyTugDmFP0q+DqGmA3FF5URqiMrqxSO+RUos1HaP8qzCfnTZ0p
rLffM4T3T2Phtnz8z31pVBgXk7bYM81nmcqAErbAn6Efr+wSYlCOTd3wQ3hdezir
+wcaUtOiZn+d
=71KU
-----END PGP SIGNATURE-----
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk