You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As far I know, The Tor Project (tpo) has no mechanism to inform others when they are planing to change their SSL certificates. One day they might just replace it and torbrowser-launcher will break.
Do you think its worth asking tpo for their policy on that topic or if they could add such a policy? Other thoughts?
The text was updated successfully, but these errors were encountered:
Good question. I wonder if the cert pinning stuff adds unnecessary complexity considering that we already verify signatures. Of course, this isn't true when loading https://check.torproject.org/RecommendedTBBVersions. Also, cert pinning isn't even enabled if you choose to use a torproject.org mirror, and most of those are over http anyway.
Alternatively we could just update torproject.pem if it becomes an issue, and there will just be a small period of time where TBL doesn't work for people.
Actually, I just updated torproject.pem when it became an issue. It took me way longer than it should have, but I think that it makes sense to continue to do this anyway (and I'll be more prompt). Either that or no cert pinning, but I prefer cert pinning.
As far I know, The Tor Project (tpo) has no mechanism to inform others when they are planing to change their SSL certificates. One day they might just replace it and torbrowser-launcher will break.
Do you think its worth asking tpo for their policy on that topic or if they could add such a policy? Other thoughts?
The text was updated successfully, but these errors were encountered: