Terminology in this field is ambiguous. "(public key) pinning" is easily misunderstood. Not to be confused with SSL Certificate Authority (CA) Pinning! This ticket is for pinning the exact certificate.
TPO offers fingerprints on their website.
TPO offers no hidden services that could be used as alternative anymore.
wget has no feature for direct certificate pinning (feature request).
whonixcheck has an unfinished --pin-tpo-cert feature.
Whonix 14 will be based on Debian stretch, so this could now be implemented.
TODO: Implement using curl and --pinnedpubkey
Enable this by default or not?
If you want to discuss if this should be enabled by default or not, please see Defaults Discussion and create a child ticket.
- sdwdate uses onions rather than SSL: T131
- wget local CA alternative workaround: T81
- openssl sclient method: T82
- python method: T146
Wait for curl 7.39.0 to appear in Debian.Done, stretch comes with curl 7.51.
- Implement this in whonixcheck and tb-updater.