re-evaluate our certificate authorities and pinning at Mozilla / Google Chrome

In two years from now, look at which certificate authorities and how that affects the pins we have in Mozilla Firefox and Google Chrome, see #41154 (closed) for background and the previous instance of this.

marked this issue as related to #41154 (closed)

changed due date to May 16, 2025

added Icebox Security TLS labels

mentioned in issue #41154 (closed)

marked this issue as related to #41672 (closed)

No one asked me, it's not 2025 yet, and everyone is currently busy, but FWIW, Fastly has multiple CA options now:

• GlobalSign, which https://cdn-fastly.torproject.org/ uses now
• Let's Encrypt
• Certainly, Fastly's own CA, which is currently cross-signed by GoDaddy's Starfield Root Certificate Authority - G2

In the long term, it may be desirable to add them to the pin set, though broadly trusting GoDaddy adds additional risk.

• Certainly Root E1
• Certainly Root R1
• Starfield Root Certificate Authority - G2

https://docs.fastly.com/en/guides/setting-up-tls-with-certificates-fastly-manages https://www.fastly.com/blog/announcing-certainly-fastlys-own-tls-certification-authority/ https://www.certainly.com/

Thanks for chiming in @mnordhoff ! Actually this is quite on-topic, as #41672 (closed) has definitely moved up this discussion on the priority list.

Intead of updating the pins, we're instead considering removing them altogether. What do you think about this?

The reason we're considering removing them is we've not been great at keeping track of the pins, and what's happening today is not unlikely to happen in the future.

I'm also wondering now that we have proper CAA records and have made progress in monitoring CT logs, whether these pins really add much to the security of users who navigate to these handful of websites covered.

Another major reason is that it seems nowadays most vendors are recommending against certificate pinning because of the high risk compared to the low benefit it brings:

• Risks of Pinning or Hard-Coding Intermediates
• Best practices: Stop Certificate Pinning

added Doing label and removed Icebox label

assigned to @lavamind

@micah was able to get in touch with the people at Mozilla and the certificate pins in Firefox have been removed: https://bugzilla.mozilla.org/show_bug.cgi?id=1906712

We still need to get this done also for Chrome/Chromium.

This file in chromium has a base64 encoded set of certificates, there are very few in here, so it is remarkable to find:

Tor1
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlOpp8zfF+jEbI6R7nxnm
phFPqBCCHMpahBMjQOjHD/860wrH1ZoIeevW9ZJ6MIuBV0jwwtAQokNsx8FVAmMH
Tjg6b4blbum1meahODgafcGjHrRGzEvuN6r577SgHcOQXkAIVsbZ6Bjk+8kh1t/v
cEaLa9DmzBQpMTYWCDY4kN0tFMSNS8CJekgA6vDVFHFRp4NiJ1eFmd38furKsZUZ
rqvY4jzyaIls/UQB8q/6bHbEeF5lTUaWPZob1XBv0Ib7nVX2gGzan+qYQim8Wdjc
LrGhnUBwil5lh9qQ/8VIMVbjtcAjeZpVWuTZA3stbOiaDCqJBGTe9glFOH1xz9hS
7QIDAQAB
-----END PUBLIC KEY-----

Tor2
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1b2qGT7y4sjNG18lZKuC
tLwDfE57KseaNY6VM61DySaobdDt9VOiFS+3QaPcrT60qOH9aQ1DGhNv3jcAJvtT
i5nKSgVDu7Emb70j2xrRaJ+lnITYs2Je9JYUQmb6IQAplYTz60s0Ng1MrROqNswl
UhhXTCZLB1Bo+uN8OM7LoZ+Sr+sP0YhMsNAyxf3ZJVvzhWHQYGHvNBqIrXpq6YLc
zHSdd5QirZ3lSdhv2uGYxDBLslfk47xObxSvqblLD2ISlMRPL85FnetHL/dRMUEo
2c9MJ49nxItUbeizxxIeCbfWdbucd4il5bBlN9t3duFqwCu80ZOuHMvxavpP05D5
RwIDAQAB
-----END PUBLIC KEY-----

Tor3
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtNfM24/03NeOb3R1sRN5
7zwYThdBJPSOXehVN3JvShTZ86kg+f0HYwbZZ0Xx0jujghabKgHkhiLMChl+Fg97
Pi0t4mQm/3sdltfUypprdcE6CbCzKkWNTaD9+iMA4m8peSq0Pd5hCKvRidb1+OCL
rJKOqx24r9VwsIa69zdiE5DpFBqvi1YczoaknF09jNR/hjqMyEwENR7t/AKZ1VpK
6L6loJt2mCl3FWjM+Wt50ktrSyAI4aPfSAILAmSRhb5TY1xWRBuHDOzdf+DvegXu
/aHn0j5UscN2XqQiNJcUrdJYsekfpHDtYKP/pesHCp2lCSbYdAaS8mnqDJwV8xC4
1wIDAQAB
-----END PUBLIC KEY-----

I don't understand how these are used, or how they are linked to tor itself, or how we go about getting them removed.

Those should be the emergency backup keypairs that have never been used. #41154 (comment 2902770)

Somewhere in the chromium source, there is a list of domains that point to these keys. I'm trying to get that source so i can find where it is.

There's https://source.chromium.org/chromium/chromium/src/+/main:net/http/transport_security_state_static_pins.json, but I don't know if it's the authoritative source or generated from some other file.

Yep, I just found that as well. I think it may be the place.

This suggests that we are going to have this same problem with Chromium with the newer LE cert intermediaries, and will need to get a cert from one of the EV providers in that list until an updated version of this list has trickled down to users.

I have filed a security issue with Chromium to request removal: https://issues.chromium.org/u/1/issues/351858997

Google responding and will be removing the pins. They said that the source of truth for these is an internal file and the source files that we have been linking to here are updated on a daily basis based on the contents of that internal file. That means we will see an update tomorrow or the day after depending on when the internal change lands. Additionally, most Chrome users will also get a component update with the change, so it will take effect even before it's visible on the source files (and will reach users with old versions of Chrome who don't update).

mentioned in incident #41672 (closed)

mentioned in issue tpo/applications/tor-browser#42616 (closed)

We decided to remove the pinnings and have confirmed this with Mozilla and Google which have both acted on our request.

In #41672 (closed) we'll be following up about ensuring the ~3 month period required for pinning expiration is handled gracefully for users of older browsers.

closed