New <torproject.org> SSL cert causes freakout. #84
Comments
ghost
mentioned this issue
|
I can confirm the bug. I am getting the same error message. |
|
The problem appears to be related to Heartbleed, and the Torproject rotating its x.509 certificate for the website. The certificate itself appears to have been re-issued, although I haven't found any statement from the torproject about that re-issue or what the new fingerprints of that certificate should be. Torbrowser-launcher ships a copy of the certificate, presumably to pin the certificate, and the one that is shipped doesn't validate, because it isn't the one being used anymore. The fix is probably to update that torproject.pem file with the new one, assuming it can be verified properly. |
|
Ok, I just visited https://www.torproject.org/ in a browser (at a random coffee shop that I happen to be at in Brooklyn), downloaded the cert I see, and replaced it and tested, and it works for me. This new cert has SHA256 fingerprint: And SHA1 fingerprint: Now I'm gonna ask some people who know for sure if this is the right cert over secure channels to confirm before closing this bug. |
|
I can confirm both (SHA1 & SHA256) fingerprints (accessing from Germany's DFN). (Then again, I am probably not a trustworthy entity, just a random user interested in the awesome software you guys make) How to get the fingerprints with openssl: This yields the following fingerprints (you can remove the colons with |
see torproject/torbrowser-launcher#84 Package-Manager: portage-2.2.8-r1
|
Is there any eta on this? This bug leaves TBB unusable. As there is a new version ( |
|
Sorry about this. I've been crazy busy, but this is quite important. Working on it now. |
|
I confirmed that 70522ef is the correct cert. |
|
@micahflee thank you, will the upbuntu ppa be updated to reflect this change? |
Starting TBL today, I get just a moment of the loading bar, then this:
After clicking to exit, Torbrowser doesn't start.
The text was updated successfully, but these errors were encountered: