[IncRnd]

Great question. I used the word "to" when it is more correct to use "thru" the AP.

You need https for cert pinning, so when I mentioned cert pinning that automatically included https. The reason to pin the certificate is to ensure that the server certificate presented today is the same server certificate that was seen yesterday. Otherwise the server may be spoofed and still pass the certificate checks. This is generally mitigated via certificate pinning. See Twitter's history and implementation of such.

I am not saying to NOT use another layer on top of this, as defense in depth is always important. There are ways to get around VPN use and ways to get around cert pinning, but using both makes the attacker's job far more difficult.

Implementing cert pinning is something that needs to be done by app developers, and what you mention are definitely good first measures one should take to protect their OWN systems in a hostile environment. By themselves, though, they don't completely mitigate all threats in the threat model.

[icebraining]

Right, but Tor itself includes their own implementation of "cert pinning", so you are protected from an insecure Wifi network by using it (of course, you are then at the mercy of the exit node, but that's another matter).

[IncRnd]

Agreed, if the pinning extends from the client to outside the 'cafe' then that traffic is protected against modification from within the cafe.

I'm a little suspect that they have their own implementation, which might be incomplete, but it is likely better than no pinning.

By Tor, do you mean the firefox browser fork or Tor itself?

[icebraining]

I mean Tor itself. It uses TLS to connect securely to the nodes.

The code includes a list of Directory Servers, along with the fingerprints of their certs[1], so those are pinned. Then the relays are fetched from a Directory Server, along with their own fingerprints. So those connections are also authenticated.

[1] https://oniongit.eu/dgoulet/tor/blob/42cee727fa281fff4e27f98...