[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Verifying Tor packages.

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Verifying Tor packages.
From: Roger Dingledine <arma@xxxxxxx>
Date: Wed, 7 Aug 2013 10:15:33 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 07 Aug 2013 10:26:52 -0400
In-reply-to: <CANSuf-1z6F76Jr+jPUSZZGtzgCW=bSaYWjJf+8O6SqM5SeXSgQ@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <CANSuf-1z6F76Jr+jPUSZZGtzgCW=bSaYWjJf+8O6SqM5SeXSgQ@xxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.5.20 (2009-06-14)

On Wed, Aug 07, 2013 at 02:32:47PM +0200, Frithjof wrote:
>  Neither sha1 sums, nor PGP signatures depend on the file
> name of the file to be verified. This allows some kind of replay
> attack: If I can get a user to download from my side, I could choose
> an old version of the TBB with some known vulnerabilities and rename
> the file and the PGP signature.

Yep. There's a bug report here:
https://trac.torproject.org/projects/tor/ticket/2340

I'll notice that Mike is doing it a better way for his TBB 3.x
releases:
https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
links to
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2
which has a single file
https://archive.torproject.org/tor-package-archive/torbrowser/3.0a2/sha256sums.txt
that's signed by all the people who can reproduce the builds.

Hopefully we can make that approach scale.

--Roger

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] Verifying Tor packages.
  - From: Frithjof

Prev by Author: Re: [tor-talk] Javascript vs privacy?
Next by Author: Re: [tor-talk] Tor Check Problem?
Previous by thread: [tor-talk] Verifying Tor packages.
Next by thread: [tor-talk] about get new ID
Index(es):
- Author
- Thread