[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] automatic Tor browser updates



On 02/13/2016 04:16 PM, blobby@xxxxxxxxxxxxxxx wrote:
> On 2016-02-12 06:57, Cain Ungothep wrote:
>>> On 02/08/2016 01:36 AM, Georg Koppen wrote:
>>>
>>>> Mirimir:
>>>>
>>>>> When automatically updating, does Tor browser check GPG signatures of
>>>>> downloaded updates before installing them?
>>>>
>>>> The update files are not using GPG signatures (see:
>>>> https://wiki.mozilla.org/Software_Update:MAR for detailed information
>>>> about the MAR file format). They are signed, though, and the updater
>>>> refuses to install the update if the signature is non-existing or
>>>> wrong.
>>>>
>>>> Georg
>>>
>>> Thank you.
>>>
>>> For those who wish to update manually, is it sufficient to toggle
>>> app.update.auto in about:config to false?
>>
>> Seems so.  You will still be prompted to update through the MAR system,
>> but it won't happen automatically.
> 
> Today I discovered that TBB 5.5.2 automatically downloaded. That hasn't
> happened before. Normally I am prompted and manually download the tar
> bundle with the signature file which I check with gpg --verify.
> 
> I'm confused as to why this time I received an automatic download. Any
> thoughts?

That's what triggered my question. It seems that automatic updating is
now the default. That's a good idea. Consider the Freedom Hosting
exploits. I can't say that I trust the MAR update protocol as much as
checking GPG signatures. But then, most people who even remember to
update don't bother checking GPG signatures. So it's a net improvement.
The scrupulous can disable automatic updating, and go old school.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk