Opened 20 months ago

Closed 6 months ago

#25146 closed task (wontfix)

Enable HPKP for aus1

Reported by: gk Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords: tbb-update
Cc: brade, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


So, this seems to have been fallen through the cracks. A while ago I got asked to ask Mozilla how to get subdomains added to the HPKP list. I got the info and tried to move that forward in #tor-project but that failed. So, here is where we are

18:01 < GeKo> so i asked around a bit a while back wrt getting more tpo 
              subdomains in the static firefox pin list.
18:02 < GeKo> and the answer was basically to open a ticket on bugzilla
18:02 < GeKo> probably similar to 
18:03 < GeKo> or maybe even better as a child bug to the pin all the things one: 
18:03 < GeKo> i'd be especially interested in static pins for the updater related 
18:04 < GeKo> what's the process for getting this moved forward?

One thing to consider is that Google is deprecating HPKP and pushing for CT. Not sure how that influences our decision for supporting HPKP ourselves

Child Tickets

Change History (12)

comment:1 Changed 20 months ago by mcs

Cc: brade mcs added

comment:2 Changed 17 months ago by weasel

Yeah, I'm really not sure what our HPKP plan should be.

comment:3 Changed 11 months ago by releng

It should be to add your sensitive subdomains to the browsers' HPKP built-in preload list (and to do nothing with HPKP itself).
See 'More information' section in

comment:4 Changed 11 months ago by micah

Google announced it is deprecating HPKP:!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ

I believe in general HPKP is going away because it is extremely risky. A trivial mistake will brick your site, but google says its too hard to build a pin-set that’s guaranteed to work and the risk of hostile pinning. Hostile pinning hasn’t been observed yet, but it’s an attack that allows someone to take your site hostage should they somehow be able to obtain a valid certificate for your domain.

Adoption rate of HPKP has been very low, and because of that browser vendors are looking to replace it. Right now the alternatives are Expect-CT and CAA. I don't think it makes a lot of sense to pursue HPKP right now.

comment:5 Changed 11 months ago by releng

What is this stupid comment posted for?
HPKP is unusable on stateless browsers anyway and isn't discussed here.
Citing your precious google:

Note that we're keeping static/preloaded key pins for the time being. Many high-value target sites are thus still protected.

comment:6 Changed 11 months ago by nickm

Hey, let's try to be polite here, please? I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

comment:7 in reply to:  6 Changed 11 months ago by releng

Replying to nickm:

Hey, let's try to be polite here, please?

Hey, Nick! Let's try, but it's not the best strategy ever.

I know it's frustrating to communicate sometimes, but everybody involved with this project is a human being.

Communicate? After sunsetting Tor Messenger without a replacement, restricting IRC channels, disabling cypherpunks account, etc? It's hard to believe somebody here wants to communicate...

comment:8 Changed 11 months ago by releng

The files were downloaded via HTTPS, but the server certificates or public keys were not pinned.

Last edited 11 months ago by releng (previous) (diff)

comment:9 Changed 8 months ago by gk

Cc: tbb-updater added

comment:10 Changed 8 months ago by gk

Cc: tbb-updater removed
Keywords: tbb-updater added

comment:11 Changed 7 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

comment:12 Changed 6 months ago by gk

Resolution: wontfix
Status: newclosed

I think we can do better than trying to get the update check pinned in Firefox by making them to a .onion. However, we are not there yet (see: #17216). Meanwhile we patch our Tor Browser to add a static pin ourselves (#29811).

Note: See TracTickets for help on using tickets.