[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #3897 [Tor Browser]: TBB build does insecure download of source files

To: undisclosed-recipients:;
Subject: [tor-bugs] #3897 [Tor Browser]: TBB build does insecure download of source files
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Thu, 01 Sep 2011 23:57:25 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 01 Sep 2011 19:57:35 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#3897: TBB build does insecure download of source files
-------------------------+--------------------------------------------------
 Reporter:  tmpname0901  |          Owner:  mikeperry    
     Type:  defect       |         Status:  new          
 Priority:  normal       |      Milestone:               
Component:  Tor Browser  |        Version:  Tor: 0.2.2.32
 Keywords:               |         Parent:               
   Points:               |   Actualpoints:               
-------------------------+--------------------------------------------------
 A recent post on the Tor blog reminds us, in the wake of the DigiNotar
 debacle, of the importance of verifying signed files after downloading.
 So why then does the TBB build process download Tor source files
 insecurely, then fail to verify the signatures of the files?

 See file ~/build-scripts/versions.mk, most recently found in the tor-
 browser-2.2.32-2-src.tar.gz tarball.  First it explicitly ignores the
 certificate of the originating site ("wget --no-check-certificate") while
 getting the Tor and Vidalia source.  Then it fails to download the
 signature files and check them against the downloaded source tarball
 files.

 I urge that signed files actually be validated against their signatures in
 those cases where signatures are available.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3897>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #3897 [Tor bundles/installation]: TBB build does insecure download of source files
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #3897 [Tor bundles/installation]: TBB build does insecure download of source files
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3895 [Thandy]: Thp package handling inside Thandy
Next by Author: [tor-bugs] #3898 [Vidalia]: If CookieAuth and PasswordAuth are both offered, and cookie fails, fall back to password
Previous by thread: Re: [tor-bugs] #3896 [Thandy]: Thandy bootstrapper
Next by thread: Re: [tor-bugs] #3897 [Tor bundles/installation]: TBB build does insecure download of source files
Index(es):
- Author
- Thread