Too Long; Didn't Read
The first few days of this vulnerability disclosure were a very interesting ride. It started with <a href="https://medium.com/@movrcx" data-anchor-type="2" data-user-id="23330eea5e9" data-action-value="23330eea5e9" data-action="show-user-card" data-action-type="hover" target="_blank">movrcx</a> posting <a href="https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-scale-bd68e9eb1e95" target="_blank">his attack on Tor Browser</a> (which you should definitely read). Most people blew him off because they thought he didn’t understand how certificate pinning worked in Firefox and that his setup would inherently bypass pinning by design. The funny thing about that is that they were right (while still being very wrong). Going in, <a href="https://medium.com/@movrcx" data-anchor-type="2" data-user-id="23330eea5e9" data-action-value="23330eea5e9" data-action="show-user-card" data-action-type="hover" target="_blank">movrcx</a> didn’t have a great understanding of how certificate pinning in Firefox worked and neither did I for that matter. To add, had he done his attack on Firefox instead of Tor Browser, his result would have actually been the same even if a vulnerability didn’t exist. It’s kinda hard to blame anyone for blowing off his attack given the totality of the information available at the time. I almost did too.