[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17870 [Tor Browser]: Some Windows 10 users experience authenticode errors if Tor Browser is signed on Linux



#17870: Some Windows 10 users experience authenticode errors if Tor Browser is
signed on Linux
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  High                                 |         Status:  closed
Component:  Tor Browser                          |      Milestone:
 Severity:  Major                                |        Version:
 Keywords:  tbb-security, TorBrowserTeam201601,  |     Resolution:  fixed
  GeorgKoppen201601                              |  Actual Points:
Parent ID:  #15538                               |         Points:
  Sponsor:                                       |
-------------------------------------------------+-------------------------

Comment (by gk):

 Replying to [comment:12 tom]:
 > I tested this on Windows 10 and had no issues, as seen here:
 http://i.imgur.com/vAi7xQS.png
 >
 > When I run it, it still gives the "Do you want to run this file?"
 prompt, but this is because it's a downloaded executable. the Publisher
 shows the correct name.  I don't believe there's anything Tor can do about
 this prompt.  (The only thing might be to submit it to Windows for
 additional scanning or something - but I'm not sure and I can't find any
 indication that this is an option - it's hard to search for.)

 Thanks.

 > I will note that the application is signed with SHA-1, which may cause
 issues down the road.  It would be better to dual-sign it with SHA-256
 _and_ SHA-1. (We're not an MSI, which causes problems, but .exes can be
 dual-signed. I don't know how to do this on linux, but there are
 instructions for Windows here:
 http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-
 enforcement-of-authenticode-code-signing-and-timestamping.aspx ).
 >
 > SHA-256 will be untrusted as a signing algorithm in the future.
 According to MSFT's timetable, it looks like "On Win 7 and above, blocked
 on 1/1/2020 if time stamped before 1/1/2016, otherwise, blocked after
 1/1/2016 for Mark of the Web files."  Additionally as time goes on it may
 be more difficult to obtain a SHA-1 signing cert.  I don't think "Mark of
 the Web" will affect Tor, but in the unlikely situation we wanted someone
 running a 4-year-old executable, the signature will be untrusted in four
 years.

 This is a bit complicated. See the bug where Mozilla wrestled with it:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1079858 (for a summary see
 comments 196 and 197). So, we are doing the same as Mozilla right now:
 SHA-1 signature with a SHA-2 code signing certificate. I've created #18287
 for taking a switch to a SHA-2 signature into account.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17870#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs