Deploy our TBB update archives on a secure machine

We need a secure hosting of our .mar update archives for the TBBs. One way to make it more secure is pinning attributes of the TLS certificate in Tor Browser itself. There are probably others that should be investigated.

added TorBrowserTeam201408D component::applications/tor browser owner::erinn parent::4234 priority::high resolution::fixed status::closed type::task labels

Trac:
Cc: mcs, brade, mikeperry to mcs, brade, mikeperry, intrigeri

Some of the existing Firefox prefs that we can use are:

app.update.cert.requireBuiltIn app.update.cert.checkAttributes app.update.certs.1.issuerName app.update.certs.1.commonName

We should be able to add as many attributes as we want under app.update.certs.1. (but brade and I have only tested with issuerName and commonName which are the ones that Mozilla uses).

See: prefs: http://mxr.mozilla.org/mozilla-esr24/source/browser/app/profile/firefox.js#92

update manifest onLoad handler: http://mxr.mozilla.org/mozilla-esr24/source/toolkit/mozapps/update/nsUpdateService.js#3370

checkCert from CertUtils.jsm: http://mxr.mozilla.org/mozilla-esr24/source/toolkit/modules/CertUtils.jsm#119

gk -- Do you think these existing mechanisms provide enough flexibility for TBB? (brade and I think they do)

Replying to mcs:

gk -- Do you think these existing mechanisms provide enough flexibility for TBB? (brade and I think they do)

Yes, I think so, too. Although we need to be careful when pinning the cert(s) attribute(s) to not lock users in case our cert(s) need to get replaced by (a) newer one(s)...

Trac:
Keywords: N/A deleted, needs-triage added

Trac:
Owner: erinn to tbb-team
Component: Tor bundles/installation to Tor Browser
Keywords: needs-triage deleted, N/A added

Trac:
Keywords: N/A deleted, TorBrowserTeam201408D added

Trac:
Status: new to assigned
Owner: tbb-team to erinn

Ok, we're going to go with www for this.

Trac:
Status: assigned to closed
Resolution: N/A to fixed

closed

moved to tpo/applications/tor-browser#12623 (closed)