Page MenuHomePhabricator
Create Task
Maniphest T80

direct SSL certificate pinning for check.torproject.org and torproject.org (curl method)
Open, NormalPublic
Actions

Description

Migrated from:
https://github.com/Whonix/Whonix/issues/24

Info:

Terminology in this field is ambiguous. "(public key) pinning" is easily misunderstood. Not to be confused with SSL Certificate Authority (CA) Pinning! This ticket is for pinning the exact certificate.

TPO offers fingerprints on their website.

TPO offers no hidden services that could be used as alternative anymore.

wget has no feature for direct certificate pinning (feature request).

whonixcheck has an unfinished --pin-tpo-cert feature.

Status:

Whonix 14 will be based on Debian stretch, so this could now be implemented.

TODO: Implement using curl and --pinnedpubkey

Enable this by default or not?

If you want to discuss if this should be enabled by default or not, please see Defaults Discussion and create a child ticket.

Related tickets:

  • sdwdate uses onions rather than SSL: T131
  • wget local CA alternative workaround: T81
  • openssl sclient method: T82
  • python method: T146

TODO:

Details

Impact
Needs Triage

Related Objects

Event Timeline

Patrick created this task.Jan 14 2015, 4:19 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: security, Debian version 9 codename Stretch, tb-updater, whonixcheck.
Patrick added subscribers: Patrick, HulaHoop.
Herald added a project: Whonix. · View Herald TranscriptJan 14 2015, 4:19 PM
Patrick mentioned this in T81: direct SSL certificate pinning for check.torproject.org and torproject.org (wget local CA workaround).Jan 14 2015, 4:48 PM
Patrick updated the task description. (Show Details)
Patrick mentioned this in T82: direct SSL certificate pinning for check.torproject.org and torproject.org (openssl s_client method).Jan 14 2015, 5:26 PM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Feb 8 2015, 2:11 AM
Patrick mentioned this in T146: direct SSL certificate pinning for check.torproject.org and torproject.org (python method).Feb 8 2015, 2:18 AM
Patrick updated the task description. (Show Details)
HulaHoop added a comment.Dec 7 2015, 3:41 PM

This may not be needed if TPO switches to Let's Encrypt for its own sites. It would be as simple as trusting their CA without worrying about expired certs or MITM.

Herald added a subscriber: WhonixQubes. · View Herald TranscriptDec 7 2015, 3:41 PM
HulaHoop added a comment.Dec 8 2015, 7:36 PM

Security comparison:

Self-signed cert > Let's Encrypt > Current CA model

Our options are limited but what TPO decides to proceed so we need to ask them and get an idea.

To be researched: The implications of NSLs on Let's Encrypt's security.

Patrick added a comment.Dec 8 2015, 7:46 PM

letsencrypt should go into it's own ticket. Not good to have it under
"direct SSL certificate pinning".

HulaHoop added a comment.Mar 1 2016, 12:04 AM

https://lists.torproject.org/pipermail/tor-talk/2016-February/040462.html

HulaHoop added a comment.Mar 1 2016, 6:37 PM

Key level pinning is not coded yet but planned. Lets Encrypt logs can be checked by users for signs of strange behavior or sudden key changes. Lets Encrypt aims for great transparency and will fight to defeat NSLs but As a CA this type of legal attack can happen. Sticking to the previous idea of direct cert pinning makes more sense for usability and security IMO.

Patrick closed this task as Resolved.Jan 15 2017, 6:06 AM
Patrick reopened this task as Open.
Patrick claimed this task.
Patrick updated the task description. (Show Details)
Patrick set Impact to Needs Triage.
Patrick edited projects, added Whonix 15; removed Debian version 9 codename Stretch.
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Jan 15 2017, 6:09 AM
Patrick updated the task description. (Show Details)May 30 2017, 9:42 PM
Patrick removed Patrick as the assignee of this task.Oct 1 2018, 11:17 AM
HulaHoop added a comment.Oct 13 2018, 12:47 PM

We can now grab the browser tarball from the TPO onion instead which makes this ticket obsolete. Close if you concur.

Patrick removed a project: Whonix 15.Dec 7 2018, 10:56 AM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer