Terminology in this field is ambiguous. "(public key) pinning" is easily misunderstood. Not to be confused with SSL Certificate Authority (CA) Pinning! This ticket is for pinning the exact certificate.
wget has no feature for direct certificate pinning (feature request).
Whonix 14 will be based on Debian stretch, so this could now be implemented.
TODO: Implement using curl and --pinnedpubkey
Enable this by default or not?
If you want to discuss if this should be enabled by default or not, please see Defaults Discussion and create a child ticket.
- sdwdate uses onions rather than SSL: T131
- wget local CA alternative workaround: T81
- openssl sclient method: T82
- python method: T146