Opened 5 years ago

Closed 3 years ago

#13553 closed enhancement (invalid)

CA pinning for the RPM repo

Reported by: cypherpunks Owned by: hiviah
Priority: Medium Milestone:
Component: Core Tor/RPM packaging Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since #12897 has been implemented RPM repo data is fetched using HTTPS.

To protect against SSL MITM attacks via compromized/rogue CAs I would suggest to implement CA pinning.

YUM provides an easy way to implement this.
Simply add an additional line to your torproject.repo file [1]

sslcacert=/path/to/issuing-ca.pem

That pem file should be rpm-managed so you can easily update it in case you switch CA.

[1] https://www.torproject.org/docs/rpms.html.en

Child Tickets

Change History (4)

comment:1 Changed 5 years ago by hiviah

Both EL and Fedora only provide bundles of CA certificates instead of having them separately. You can extract a cert, put in a separate dir, and point sslcacert in tor.repo on your local system, but this won't scale.

comment:2 Changed 5 years ago by cypherpunks

What does not scale?

Instead of requiring manual steps as currently described at:
https://www.torproject.org/docs/rpms.html.en

a simple rpm package containing the torproject.repo and pem file could be provided.

Installing torproject's RPM repo would then be reduced to running a single command (+ gpg fingerprint checking):

# yum install https://deb.torproject.org/.../torproject-release-$(rpm -E %fedora).noarch.rpm

comment:3 Changed 5 years ago by hiviah

Isn't this a chicken-and-egg problem? If you use "yum install https://deb.torproject.org/..." then no SSL/TLS pinning will take effect anyway. What you get though, is the need to tell users to update the RPM manually should the pinned CA cert ever change.

comment:4 Changed 3 years ago by cypherpunks

Resolution: invalid
Severity: Normal
Status: newclosed

The torproject does not longer provide RPMs.

Note: See TracTickets for help on using tickets.