Skip to content

reconsider Firefox key pinning for *.torproject.org domains

Firefox wrote security@torproject.org to ask us whether or not we want to continue the public key pinning program they have. We have 14 days to respond with, and I quote:

  • The list of domains and/or subdomains you believe are pinned.
  • The list of public keys / certificates you believe your domains are pinned to.

Honestly, I'm not absolutely sure what this is about. @ma1 said that we can find the pins with this GitLab search:

https://gitlab.torproject.org/search?search=kPinset_tor&nav_source=navbar&project_id=472&group_id=477&search_code=true&repository_ref=tor-browser-102.10.0esr-12.5-1

That would seem to say the answer is:

domain cert
blog.torproject.org "lots"
bridges.torproject.org kISRG_Root_X1Fingerprint
check.torproject.org "lots"
dist.torproject.org "lots"
torproject.org "lots"
www.torproject.org "lots"

The "lots" cert is a rather long list of certs:

static const char* const kPinset_tor_Data[] = {
  kGOOGLE_PIN_R4LetsEncryptFingerprint,
  kTor3Fingerprint,
  kDigiCert_High_Assurance_EV_Root_CAFingerprint,
  kLet_s_Encrypt_Authority_X3Fingerprint,
  kTor1Fingerprint,
  kGOOGLE_PIN_R3LetsEncryptFingerprint,
  kGOOGLE_PIN_RapidSSLFingerprint,
  kLet_s_Encrypt_Authority_X4Fingerprint,
  kTor2Fingerprint,
};

That looks like:

  • DigiCert
  • Let's Encrypt R3
  • Let's Encrypt R4
  • Let's Encrypt X4
  • Rapid SSL
  • some tor-specific fingerprints (!?)

The latter is:

/* Tor1 */
static const char kTor1Fingerprint[] =
  "bYz9JTDk89X3qu3fgswG+lBQso5vI0N1f0Rx4go4nLo=";

/* Tor2 */
static const char kTor2Fingerprint[] =
  "xXCxhTdn7uxXneJSbQCqoAvuW3ZtQl2pDVTf2sewS8w=";

/* Tor3 */
static const char kTor3Fingerprint[] =
  "CleC1qwUR8JPgH1nXvSe2VHxDe5/KfNs96EusbfSOfo=";

not sure what those represent at all.

The CAs in use that I am aware of are documented in this TPA page, excerpt:

  • Let's Encrypt: automatically issues certificates for most websites and domains, managed by TPA
  • Globalsign: used by the Fastly CDN used to distributed TBB updates
  • Digicert: used by other teams to sign software releases for Windows
  • Harica: used for HTTPS on the donate.tpo onion service
  • howto/Puppet: our configuration management infrastructure has its own X.509 certificate authority which allows "Puppet agents" to authenticate and verify the "Puppet Master", see our documentation and upstream documentation for details
  • howto/ldap: our OpenLDAP server uses a custom self-signed x.509 certificate authority that is distributed to clients via Puppet, see the documentation for instructions to renew this certificate manually
  • internal "auto-ca": all nodes in Puppet get their own X.509 certificate signed by a standalone, self-signed X.509 certificate, documented below. it is used for backups (Bacula) and mail deliver (Postfix)

Of those, I think the first 4 are relevant to this case. It seems like Harica and Globalsign are not in the pin list provided to Firefox, interestingly.

So what should we do with this?

It seems to me we should add GlobalSign to the list for stuff that's served over Fastly at least. We should keep Digicert, and remove RapidSSL. Not sure what to do about Harica, because that's for onion services... Also not sure what to do about those three standalone fingerprints.

Thoughts?

/cc @micah @ma1