Firefox and Tor Browser pin data
CSV files containing Firefox (stable and ESR stable) and Tor Browser (alpha and stable) release dates and static key pinning expiration dates. And some hacky Python programs for processing it.
For context, please read Ryan Duff's post Postmortem of the Firefox (and Tor) Certificate Pinning Vulnerability Rabbit Hole.
firefox-esr38-*: Firefox ESR 38 releases
firefox-esr45-*: Firefox ESR 45 releases
firefox-esr52-*: Firefox ESR 52 releases
firefox-esr-*: Most Firefox ESR releases in chronological order
firefox-*: Firefox regular releases
tor-browser-alpha-*: Tor Browser alpha releases, and a few stable releases
tor-browser-stable-*: Tor Browser stable releases
tor-browser-*: All Tor browser alpha and stable releases in chronological order
*-expiration-release-dates.csv: Most of the information combined; see below
*-expiration-us.csv: Pin expiration timestamps, in microseconds since 1970-01-01T00:00:00.000000Z
*-expiration.csv: Pin expiration second timestamps, microsecond timestamps, and ISO 8601 strings
*-releases.csv: Release dates
*.py: Hacky Python scripts. :-)
version: Firefox or Tor Browser version
release_date: Firefox or Tor Browser release date
expiration_date: Static pin expiration date
expiration_days: Days from the release date until the expiration date
previous_expiration_days: Days from the current row's release date until the previous row's expiration date
previous_release_days: Days from the previous row's release date until the current row's release date
firefox_version: Tor Browser only; Firefox version it is based on
Firefox 38.0.6 and 40.0.1 sort of exist, but have no official release dates, and are excluded from this data. Their expiration timestamps were identical to the preceding releases. I suspect that 38.0.6 was released immediately after 38.0.5, and 40.0.1 was released immediately before 40.0.2.
When releases (usually from different series) are made simultaneously, the
previous_release_days fields can be nonsensical.
There were several Tor Browser 4.0.x series point releases after 4.5a1, but they didn't support pinning and are excluded.
Licensed under the MIT license; see
LICENSE.txt. Nonetheless, i believe the
.csv files are in the public domain by nature.