Page MenuHomePhabricator

direct SSL certificate pinning for check.torproject.org and torproject.org (openssl s_client method)
Open, NormalPublic

Description

Since direct SSL certificate pinning for check.torproject.org and torproject.org (curl method) (T80) would have to wait a long time, until Debian stretch, this ticket is for an alternative approach.

Please make sure you've read T80 first.

TODO reserarch:

1.)
openssl s_client can be used to fetch a website:

Step 1.

openssl s_client -connect check.torproject.org:443

Step 2

GET / HTTP/1.1
host: check.torproject.org

How can step two be automated in a script?

2.)
Can openssl s_client be used to fetch (similar to wget, curl) using direct SSL certificate pinning?

Not to be confused with SSL Certificate Authority (CA) pinning (similar to curls --cacert or --capath option)!

Similar to curls --pinnedpubkey that was added in version 7.39.0 (changelog).

3.)
Alternatively... Can one pipe curl (or wget) through openssl s_client?

Event Timeline

Patrick created this task.Jan 14 2015, 6:26 PM
Patrick raised the priority of this task from to Normal.
Patrick updated the task description. (Show Details)
Patrick added projects: research, security, Whonix, bash.
Patrick added subscribers: Patrick, troubadour, HulaHoop.

Since TPO infrastructure now moved to onions couldn't we just download use the onion domains for check.torproject.org, checking TBB version info and downloads?

If yes this closes T80, T81, and T146 too

whonixcheck Whonix 14 optional connectivity / IP leak test:
There is no onion for check.torproject.org.
( https://trac.torproject.org/projects/tor/ticket/6098 )
Would probably also not a sensible IP leak test then.
Unfortunately for that SSL pinning would still be useful.


tb-updater: using onions is a good idea. If the onions will be stable and not shut down at some point? Please create a ticket.

HulaHoop added a comment.EditedMay 31 2017, 2:40 PM

Would probably also not a sensible IP leak test then.

Thats right! I totally overlooked that :S

If the onions will be stable and not shut down at some point?

Unlikely. The load balancing problems that caused them to shut down their onions before have since been resolved with onion-balance. They are scalable enough ti support Debian apt mirrors now.

Please create a ticket.

OK