Information
ID: 80
PHID: PHID-TASK-tsull3kmksftqnvdtfgy
Author: Patrick
Status at Migration Time: open
Priority at Migration Time: Normal
Description
Migrated from:
https://github.com/Whonix/Whonix/issues/24
Info:
Terminology in this field is ambiguous. “(public key) pinning” is easily misunderstood. Not to be confused with SSL Certificate Authority (CA) Pinning! This ticket is for pinning the exact certificate.
TPO offers fingerprints on their website.
TPO offers no hidden services that could be used as alternative anymore.
wget has no feature for direct certificate pinning (feature request).
#whonixcheck has an unfinished --pin-tpo-cert feature.
Status:
Whonix 14 will be based on Debian stretch, so this could now be implemented.
TODO: Implement using curl and --pinnedpubkey
Enable this by default or not?
If you want to discuss if this should be enabled by default or not, please see Defaults Discussion and create a child ticket.
Related tickets:
- sdwdate uses onions rather than SSL: T131
- wget local CA alternative workaround: T81
- openssl sclient method: T82
- python method: T146
TODO:
Wait forDone, stretch comes with curl 7.51.curl7.39.0 to appear in Debian.- Implement this in #whonixcheck and #tb-updater.
Comments
HulaHoop
2015-12-07 15:41:45 UTC
HulaHoop
2015-12-08 19:36:22 UTC
Patrick
2015-12-08 19:46:18 UTC
HulaHoop
2016-03-01 00:04:56 UTC
HulaHoop
2016-03-01 18:37:12 UTC
HulaHoop
2018-10-13 12:47:08 UTC