[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] updating Tor



Grace H:
> Great that Tor Browser has automated upgrade system.
> 
> Does it check SSL certificate (pinning) and checks the download
> against a signature? How does it actually works?

Quoting the release announcement:

    Please also be aware that the security of the updater depends on the
    specific CA that issued the www.torproject.org HTTPS certificate
    (Digicert), and so it still must be activated manually through the
    Help ("?") "about browser" menu option. Very soon, we will support
    both strong HTTPS site-specific certificate pinning (ticket #11955)
    and update package signatures (ticket #13379). Until then, we do not
    recommend using this updater if you need stronger security and
    normally verify GPG signatures.

https://blog.torproject.org/blog/tor-browser-40-released

-- 
Lunar                                             <lunar@xxxxxxxxxxxxxx>

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk