Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
T
team
  • Project overview
    • Project overview
    • Details
    • Activity
  • Issues 127
    • Issues 127
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Operations
    • Operations
    • Incidents
  • Analytics
    • Analytics
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

  • The Tor Project
  • TPA
  • team
  • Issues
  • #40052

Closed
Open
Opened Sep 22, 2020 by weasel (Peter Palfrader)@weaselOwner4 of 7 tasks completed4/7 tasks

LetsEncrypt is changing their certs

Viktor Dukhovni mentioned on dane-users that LetsEncrypt is rotating their intermediates.

This might affect torproject.org https hosts with key pins in chrome.

  • transport_security_state_static.pins
  • transport_security_state_static.json
    {
      "name": "tor",
      "static_spki_hashes": [
        "RapidSSL",
        "DigiCertEVRoot",
        "Tor1",
        "Tor2",
        "Tor3",
        "LetsEncryptAuthorityPrimary_X1_X3",
        "LetsEncryptAuthorityBackup_X2_X4"
      ]
    },
    { "name": "torproject.org", "policy": "custom", "mode": "force-https", "pins": "tor" },
    { "name": "blog.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
    { "name": "check.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
    { "name": "www.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },
    { "name": "dist.torproject.org", "policy": "custom", "mode": "force-https", "include_subdomains": true, "pins": "tor" },

We should verify if we need to have that updated, and if yes, to what.

We also should check if firefox just copies the chrome pins, is not affected, or also needs updating.

Todo list:

  • Chrome HSTS preload list
  • Firefox HSTS preload list
  • DANE (TLSA) records (clear: we use "3 1 1" records)
  • CAA records (N/A)
  • HPKP records (N/A, disabled in #33592 (closed))
  • check that we'll follow the cert chain change in the letsencrypt renewal code? (we just take whatever cert let's encrypt gives us, so no change required here)
  • renew certs before the switch so we have an extra 90 days grace period?
Edited Sep 22, 2020 by anarcat
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: tpo/tpa/team#40052