[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #13065 [Tor Browser]: counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign / verify tbb versions file
#13065: counter downgrade / stale mirror attacks on RecommendedTBBVersions - sign /
verify tbb versions file
-------------------------+--------------------------
Reporter: proper | Owner: tbb-team
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Browser | Version:
Keywords: | Actual Points:
Parent ID: | Points:
-------------------------+--------------------------
Securely downloading
https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions
solely relies on SSL, is currently neither signed, nor gets verified by
Tor Button.
This is problematic, because should torproject.org's web server or CA be
compromised one day, applications such as Tor Button and
[https://github.com/micahflee/torbrowser-launcher torbrowser-launcher]
could be fooled into using an outdated and/or malicious
RecommendedTBBVersions file.
Suggestion: could you please,
1) provide a signed version of RecommendedTBBVersions,
2) verify RecommendedTBBVersions in Tor Button.
To prevent downgrade and stale mirror attacks, the signature would have to
be renewed after every X weeks, and rejected by the verification mechanism
[+ user notification] if is is too old. (Similar to
[http://blog.ganneff.de/blog/2008/09/23/valid-until-field-in-
release-f.html Valid-Until] / #9810.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13065>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs