1. 5
    Deep down the certificate pinning rabbit hole of "Tor Browser Exposed" browsers security seclists.org
    jabberwock avatar via jabberwock 2 years ago | cached | 1 comment

Explanation of a cert-pinning bypass vulnerability in Firefox (also Tor Browser) which affects the auto-update process.

  1.  

  2. 1
    jabberwock avatar jabberwock 2 years ago | link

    Turns out this went down the wrong rabbit hole. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127#c1

    The “certificate issuer is not built-in” error is a red-herring […] The built-in pins have an expiration date that’s supposed to be about 90 days out from the release, updated weekly. Turns out the automation was broken on the ESR branch […] That means the AMO pins expired on Sept 3 in releases based on 45.3