[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #3861 [Tor bundles/installation]: begin signing Windows packages the Windows way



#3861: begin signing Windows packages the Windows way
--------------------------------------+-------------------------------------
 Reporter:  erinn                     |          Owner:  erinn
     Type:  enhancement               |         Status:  new  
 Priority:  normal                    |      Milestone:       
Component:  Tor bundles/installation  |        Version:       
 Keywords:                            |         Parent:       
   Points:                            |   Actualpoints:       
--------------------------------------+-------------------------------------

Comment(by ioerror):

 Replying to [comment:5 erinn]:
 > Yes, that is a very good summary of the situation. I don't think I
 decided not to bother -- it was left as a 'controversial' issue, but I
 think we should explore it more. Right now when you install one of our
 Windows packages, it comes from an 'Unknown' publisher which is much more
 trivial to spoof than one that claims to be from Tor Project, Inc. and has
 a key/cert/whatever to prove it.

 I worry that the attackers may beat us to the punch, what looks better a
 cert from "Tor Project, Inc." or a binary from "Unknown" parties?

 Bah, bad news all around.

 >
 > But to reiterate, I think we should explore this in more depth to see
 what the tradeoffs are. Because although it may be more difficult for
 someone to build a fake Windows bundle and then claim to be from us, it
 will also be much more convincing if they pull it off.

 I'm not sure that I totally understand this argument. It seems to me that
 it is likely that someone can build our software and currently impersonate
 "Unknown" - worse, we see that people simply don't even fetch package
 signatures for most projects that release them. Users are fine with this
 and don't do any checking almost all of the time, each time they install,
 I believe they are at risk.

 At least if we do Windows package signing, I believe that upgrades need to
 come from a valid cert chain - so you can't easily trick users into taking
 a backdoored package if they already had a good one. This is how android
 package signatures work. It doesn't prevent someone from making an
 identical app and marketing it but that is a separate issue, I think. I
 need to verify that it works similarly on Windows.

 In any case, I still think that it's better for another reason: the bar
 for owning a CA to impersonate The Tor Project is a lot more than simply
 typing "make" and having a package for insertion at MITM or phishing time.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3861#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs