[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Verifying Tor packages.
On Wed, Aug 07, 2013 at 02:32:47PM +0200, Frithjof wrote:
> Neither sha1 sums, nor PGP signatures depend on the file
> name of the file to be verified. This allows some kind of replay
> attack: If I can get a user to download from my side, I could choose
> an old version of the TBB with some known vulnerabilities and rename
> the file and the PGP signature.
Yep. There's a bug report here:
https://trac.torproject.org/projects/tor/ticket/2340
I'll notice that Mike is doing it a better way for his TBB 3.x
releases:
https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
links to
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2
which has a single file
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2/sha256sums.txt
that's signed by all the people who can reproduce the builds.
Hopefully we can make that approach scale.
--Roger
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk