How do you plan to keep torproject.pem updated? #45
Comments
|
Good question. I wonder if the cert pinning stuff adds unnecessary complexity considering that we already verify signatures. Of course, this isn't true when loading https://check.torproject.org/RecommendedTBBVersions. Also, cert pinning isn't even enabled if you choose to use a torproject.org mirror, and most of those are over http anyway. Alternatively we could just update torproject.pem if it becomes an issue, and there will just be a small period of time where TBL doesn't work for people. |
|
Actually, I just updated torproject.pem when it became an issue. It took me way longer than it should have, but I think that it makes sense to continue to do this anyway (and I'll be more prompt). Either that or no cert pinning, but I prefer cert pinning. |
As far I know, The Tor Project (tpo) has no mechanism to inform others when they are planing to change their SSL certificates. One day they might just replace it and torbrowser-launcher will break.
Do you think its worth asking tpo for their policy on that topic or if they could add such a policy? Other thoughts?
The text was updated successfully, but these errors were encountered: