Terminology in this field is ambiguous. "(public key) pinning" is easily misunderstood. Not to be confused with [SSL Certificate Authority (CA) Pinning](https://www.whonix.org/wiki/Dev/SSL_Certificate_Pinning#PIN_Certificate_Authority)! This ticket is for pinning the exact certificate.
[TPO offers fingerprints on their website.](https://www.torproject.org/docs/faq.html.en#SSLcertfingerprint)
[TPO offers no hidden services that could be used as alternative anymore.](https://trac.torproject.org/projects/tor/wiki/WikiStart?sfp_email=&sfph_mail=&action=diff&version=96&old_version=95&sfp_email=&sfph_mail=)
`wget` has no feature for direct certificate pinning ([feature request](https://lists.gnu.org/archive/html/bug-wget/2012-07/msg00008.html)).
#whonixcheck has an [unfinished](https://github.com/Whonix/whonixcheck/commit/5a405cd76f195d28d302914ec14f0e2989571488) `--pin-tpo-cert` feature.
As per `curl` changelog (http://curl.haxx.se/changes.html) the `--pinnedpubkey` feature has appeared in `curl` 7.39.0. It's most likely won't be available in `jessie` due to the freeze. This ticket can be implemented in #Debian_Stretch (`jessie` + 1).
__Enable this by default or not?__
If you want to discuss if this should be enabled by default or not, please see [Defaults Discussion](https://www.whonix.org/wiki/Dev/SSL_Certificate_Pinning#Defaults_Discussion) and create a child ticket.
* sdwdate will very likely use onions rather than SSL: T131
* wget local CA alternative workaround: T81
* openssl sclient method: T82
* python method: T146
* ~~Wait for `curl` 7.39.0 to appear in Debian.~~ Done, [stretch comes with curl 7.51](https://packages.debian.org/stretch/curl ).
* Implement this in #whonixcheck and #tb-updater.