Change app.update.url to point to aus1.tpo
We should point to the new location for our xml files, aus1.tpo. Tor Browser 6.5 can be the target. It seems to me we can do this even earlier.
Activity
Here is a patch for the browser: https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug19481-01&id=0df39cf9448b523421db8f66d300b2586613d004
Is this all we need to do? What about key pinning for aus1.tpo and cdn.tpo?
Trac:
Status: new to needs_review
Replying to mcs:
Here is a patch for the browser: https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug19481-01&id=0df39cf9448b523421db8f66d300b2586613d004
Is this all we need to do? What about key pinning for aus1.tpo and cdn.tpo?
weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.
Replying to gk:
weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.
This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan).
WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal.
-
Replying to yawning:
Replying to gk:
weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future.
This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan).
WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal.
I've created #20180 (moved) for aus1.tpo and cdn.tpo pinning.
On topic:
We should point to the new location for our xml files You should check that even if you put your xml files directly on NSA server, your updater will apply the intended updates only.
Off topic: Replying to gk:
weasel said there is no key pinning for aus1.tpo nor for cdn.tpo right now. It might come in the future. weasel AFAIK is responsible for server side where only HPKP is available and not used. But should?
Replying to yawning:
This shouldn't be done at all till it's possible to pin the cert chain for aus1.tpo over a prolonged period of time (not the rather short 3 months imposed by the Let's Encrypt cert lifespan). Usually only CA certs are pinned (on Mozilla side too), chain can't be pinned. If you are going to pin your 3 mo cert itself (which is best for security as it fully "breaks" PKI), then it's better to develop strong policy for the whole your infrastructure support (instead of PKI) at first, or you will end with a disaster worse than Mozilla has had recently. WHile the scope of potential problems from not doing so should be limited to adversaries withholding updates (since the MARs are signed), that feels suboptimal. The scope of potential problems is limited to: some adversary could prevent TBB from updating (if there are no holes in the process of checking signed MARs).
-
Replying to bugzilla:
FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1151485 ESR52: https://bugzilla.mozilla.org/show_bug.cgi?id=1182352
We already removed the updater-specific cert pinning. See #17442 (moved) and #18912 (moved).
-
We have HPKP for aus1.tpo now. Thus, let's try this switch in the next alpha. We might be able to get something even better before 6.5 gets stable. Commit 74af032f2b07b8106b216a240c175d163634d89d on tor-browser-45.4.0esr-6.5-1 has the fix.
Trac:
Status: needs_review to closed
Resolution: N/A to fixed mentioned in issue #19854 (moved)
mentioned in issue #20702 (moved)
mentioned in issue #20709 (moved)
mentioned in issue #22346 (moved)