[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Always up-to-date HSTS preload list for Tor?



Hi,

Ivan Ristic:
> Dear Tor developers,
> 
> My SSL Labs server test has a feature where it checks for preloaded HSTS
> in Chrome, IE, Firefox, and Tor.
> 
> You can see it near the bottom of this report, for example (under "HSTS
> Preloading"):
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=scotthelme.co.uk&s=107.170.218.42&latest
> 
> For Tor, I download the preload list from this URL:
> 
> https://gitweb.torproject.org/tor-browser.git/plain/security/manager/boot/src/nsSTSPreloadList.inc?h=tor-browser-38.2.1esr-5.0-2
> 
> That's the best I could find (when I originally implemented the
> feature), and I now see that the version number has advanced since.
> 
> Which brings me to my question: is there a public URL that always
> contains the latest preload list?

We are not patching the preload list. Tor Browser ships the same list as
the Firefox ESR version it is built upon. So, in a sense, no, there is
no such URL as we have different branches for different ESR releases.
But I guess tracking the latest Firefox ESR (which you might be doing
anyway) and assuming the same list for the latest Tor Browser should be
working fine for your purposes.

Georg


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev