[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?

Subject: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 16 Jul 2014 17:44:11 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 16 Jul 2014 13:44:19 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#12642: Can Network Attacker Downgrade Dependency Install Security?
-----------------------+-------------------------
 Reporter:  earthrise  |          Owner:  hellais
     Type:  defect     |         Status:  new
 Priority:  normal     |      Milestone:
Component:  Ooni       |        Version:
 Keywords:             |  Actual Points:
Parent ID:             |         Points:
-----------------------+-------------------------
 From the ooni-backend readme:

 {{{
 pip install -r requirements.txt --use-mirrors
 # Note: it is important that you install the requirements before you run
 # the setup.py script. If you fail to do so they will be downloaded over
 # plaintext.
 python setup.py install


 }}}
 What happens if an attacker is MITMing the network connection, and they
 make one package inaccessible during the pip install, but allow setup.py
 to download it. Will it fall back to an insecure connection, allowing the
 attacker to modify the code?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12642>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #12640 [Tor]: Entry guard unittest (#12207) fail in out-of-tree builds
Next by Author: Re: [tor-bugs] #12640 [Tor]: Entry guard unittest (#12207) fail in out-of-tree builds
Previous by thread: Re: [tor-bugs] #12641 [Ooni]: IStreamClientEndpointStringParser is Deprecated
Next by thread: Re: [tor-bugs] #12642 [Ooni]: Can Network Attacker Downgrade Dependency Install Security?
Index(es):
- Author
- Thread