[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #9931 [Website]: Securing the integrity of downloads from the Tor/Tails website

Subject: Re: [tor-bugs] #9931 [Website]: Securing the integrity of downloads from the Tor/Tails website
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 20 Nov 2013 22:58:05 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 20 Nov 2013 17:58:24 -0500
In-reply-to: <047.d38da77145d7ce7bac088ce900e4a154@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <047.d38da77145d7ce7bac088ce900e4a154@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#9931: Securing the integrity of downloads from the Tor/Tails website
-------------------------+-------------------------------------------------
     Reporter:  tolodof  |      Owner:
         Type:  defect   |     Status:  closed
     Priority:  major    |  Milestone:
    Component:  Website  |    Version:  Tor: unspecified
   Resolution:  fixed    |   Keywords:  SSL, MITM, Verifying, Download,
Actual Points:           |  Website
       Points:           |  Parent ID:
-------------------------+-------------------------------------------------
Changes (by cypherpunks):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 @tolodof

 Kindly review
 https://www.ssllabs.com/ssltest/analyze.html?d=torproject.org

 You'll notice that the Tor Project's EXCELLENT cryptography implementation
 is more secure than just about any other software updating/downloading
 channel you'll find on the internet, with support for TLS 1.2 and forward
 secrecy in many browsers. Yes, there are a few small changes that could be
 made, but most if not all would break functionality/compatibility for some
 users.

 Contrast that with update and add-on checking functionality you mentioned
 in Firefox, which still isn't configured to allow TLS 1.2 by default and
 which the relevant Mozilla servers can't even support anyway:
 https://browserprivacy.wordpress.com/2013/11/19/requiring-better-
 cryptography-in-firefox-and-thunderbird-breaks-update-functionality/

 Perhaps something like NSA's Quantum Insertion or a few lesser-known MITM
 attacks are still theoretically possible, but the bottom line is that
 downloading a signed copy of Tor from The Tor Project's server can be
 considerably more secure--if you use the right tools, practices, etc.--
 than Firefox.

 If you're still not convinced, download the data through another network
 (e.g. Tor) with a different computer and network configuration and then
 compare the binaries and signatures. I'm willing to bet they'll be
 identical in your case.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9931#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #10195 [Tor bundles/installation]: Tor Browser crashing in 64-bit Linux builds
Next by Author: [tor-bugs] #10199 [Tor bundles/installation]: TBB 3.0beta1 (and I'm guessing all ESR-based TBBs) do not support TLS 1.2
Previous by thread: Re: [tor-bugs] #9173 [Firefox Patch Issues]: Relocate RelativeLink functionality to Firefox patch
Next by thread: [tor-bugs] #10199 [Tor bundles/installation]: TBB 3.0beta1 (and I'm guessing all ESR-based TBBs) do not support TLS 1.2
Index(es):
- Author
- Thread