Closed Bug 1004353 Opened 10 years ago Closed 10 years ago

Enable pinning for tor

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34

People

(Reporter: mmc, Assigned: cviecco)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

tor-pinning
6.69 KB, patch
mmc
: review+
Details | Diff | Splinter Review 
This one uses lots of sha1 fingerprints, so we need to reach out and find the sha256 or pem equivalents.

https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=50
I think Camilo said he was already in contact with these folks.
Assignee: nobody → cviecco
Monica here are the keys (given by them not verified by me) it was also suggested that Mike Perry would be the point of contact from tor ( Mike, thank Roger)
	contingency-key-2011-1.pem
	8ee371493bfd500366a42f6417918aa6658dc776  -
	6d8cfd2530e4f3d5f7aaeddf82cc06fa5050b28e6f2343757f4471e20a389cba  -

	contingency-key-2011-2.pem
	9626b8de53e897348f548ab7e03c39eee61c2c3f  -
	c570b1853767eeec579de2526d00aaa00bee5b766d425da90d54dfdac7b04bcc  -

	contingency-key-2011-3.pem
	af313240828e87bee3f3b9f96e3594360b9717c6  -
	0a5782d6ac1447c24f807d675ef49ed951f10dee7f29f36cf7a12eb1b7d239fa  -
Mike, if you just want to use the Tor pinset currently in use by Chrome, we can just turn it on. If not, Camilo should be the one to coordinate since he's already in touch with you and Roger.

This file contains all of the hashes:
https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.certs&l=207

This file gives the domain -> hash mapping:
https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json&l=50
    {
      "name": "tor",
      "static_spki_hashes": [
        "RapidSSL",
        "DigiCertEVRoot",
        "Tor1",
        "Tor2",
        "Tor3"
      ]
    },

{ "name": "tor2web",
      "static_spki_hashes": [
        "AlphaSSL_G2",
        "Tor2web"
      ]
},

    { "name": "tor2web.org", "include_subdomains": true, "pins": "tor2web" },
{ "name": "torproject.org", "mode": "force-https", "pins": "tor" },
    { "name": "blog.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
    { "name": "check.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
    { "name": "www.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },
    { "name": "dist.torproject.org", "include_subdomains": true, "mode": "force-https", "pins": "tor" },

Thanks,
Monica
Flags: needinfo?(mikeperry)
Attached patch tor-pinningSplinter Review 

    
  

        Attachment #8460506 -
        Flags: review?(mmc)

        Attachment #8460506 -
        Flags: review?(mmc) → review+

    
    

    
  
Rober Dingledine said it was OK to use the Chrome fingerprints during PETS 2014 in the hallway track.
Flags: needinfo?(mikeperry)

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/ff57d7141f3c
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: