Deprecate check.tpo and move that functionality to the client
Right now, every time Tor browser starts up, it loads the same page. This is a risk for a huge watering hole attack. Compromising that one subdomain and serving an exploit will reliably compromise ~100% of Tor users. This would only take a single rogue CA (due to HPKP going away), and the compromise of one of any number of registrars. If the check is done locally client-side, such an exploit would be significantly more difficult and would have to exploit the a simple API.
Unlike the automatic updater which verifies a signature, the only signature relied upon by check.tpo is the TLS certificate. The web PKI is not ideal for protecting a single centralized page that is automatically opened by every Tor user, and only by Tor users.