Page MenuHomePhabricator

direct SSL certificate pinning for check.torproject.org and torproject.org (curl method)
Open, NormalPublic

Description

Migrated from:
https://github.com/Whonix/Whonix/issues/24


Info:

Terminology in this field is ambiguous. "(public key) pinning" is easily misunderstood. Not to be confused with SSL Certificate Authority (CA) Pinning! This ticket is for pinning the exact certificate.

TPO offers fingerprints on their website.

TPO offers no hidden services that could be used as alternative anymore.

wget has no feature for direct certificate pinning (feature request).

whonixcheck has an unfinished --pin-tpo-cert feature.

Status:

Whonix 14 will be based on Debian stretch, so this could now be implemented.

TODO: Implement using curl and --pinnedpubkey


Enable this by default or not?

If you want to discuss if this should be enabled by default or not, please see Defaults Discussion and create a child ticket.


Related tickets:

  • sdwdate uses onions rather than SSL: T131
  • wget local CA alternative workaround: T81
  • openssl sclient method: T82
  • python method: T146

TODO:

Details

Impact
Needs Triage

Event Timeline

Patrick created this task.Jan 14 2015, 5:19 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added subscribers: Patrick, HulaHoop.
Patrick updated the task description. (Show Details)Feb 8 2015, 3:11 AM

This may not be needed if TPO switches to Let's Encrypt for its own sites. It would be as simple as trusting their CA without worrying about expired certs or MITM.

Security comparison:

Self-signed cert > Let's Encrypt > Current CA model

Our options are limited but what TPO decides to proceed so we need to ask them and get an idea.

To be researched: The implications of NSLs on Let's Encrypt's security.

letsencrypt should go into it's own ticket. Not good to have it under
"direct SSL certificate pinning".

Key level pinning is not coded yet but planned. Lets Encrypt logs can be checked by users for signs of strange behavior or sudden key changes. Lets Encrypt aims for great transparency and will fight to defeat NSLs but As a CA this type of legal attack can happen. Sticking to the previous idea of direct cert pinning makes more sense for usability and security IMO.

Patrick closed this task as Resolved.Jan 15 2017, 7:06 AM
Patrick reopened this task as Open.
Patrick claimed this task.
Patrick updated the task description. (Show Details)
Patrick set Impact to Needs Triage.
Patrick edited projects, added Whonix 15; removed Debian version 9 codename Stretch.
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Jan 15 2017, 7:09 AM
Patrick updated the task description. (Show Details)May 30 2017, 11:42 PM
Patrick removed Patrick as the assignee of this task.Oct 1 2018, 1:17 PM

We can now grab the browser tarball from the TPO onion instead which makes this ticket obsolete. Close if you concur.